b"Audit Report\n\n\n\n\nOIG-11-023\nINFORMATION TECHNOLOGY: The Department of the Treasury\nFederal Information Security Management Act Fiscal Year 2010\nAudit\n\nNovember 12, 2010\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\nThis report has been reissued to correct the report number on the\ncover page from OIG-10-023 to OIG-11-023. Additionally, at the\nrequest of the Treasury Inspector General for Tax Administration,\ncertain information on page 16 of their report is redacted pursuant\nto 5 U.S.C. \xc2\xa7552(b)(2).\n\x0c                                          DEPARTMENT OF THE TREASURY\n                                              W ASHINGTON, D.C. 20220\n\n                                            November 12, 2010\n     OFFICE OF\nINSPECTOR GENERAL\n\n\n\n\n            MEMORANDUM FOR DANIEL TANGHERLINI\n                           ASSISTANT SECRETARY OF THE TREASURY FOR\n                             MANAGEMENT AND CHIEF FINANCIAL OFFICER\n\n                                     DIANE LITMAN\n                                     ACTING DEPUTY ASSISTANT SECRETARY OF\n                                        INFORMATION SYSTEMS AND CHIEF\n                                        INFORMATION OFFICER\n\n            FROM:                    Marla A. Freedman /s/\n                                     Assistant Inspector General for Audit\n\n            SUBJECT:                 The Department of the Treasury Federal Information\n                                     Security Management Act Fiscal Year 2010 Audit\n\n            We are pleased to transmit the following reports:\n\n                  \xe2\x80\xa2   The Department of the Treasury Federal Information Security\n                      Management Act Fiscal Year 2010 Performance Audit, November 10,\n                      2010\n                  \xe2\x80\xa2   Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                      Information Security Management Act Report for Fiscal Year 2010\n                      (Audit # 2011-20-003), November 10, 2010\n\n            The Federal Information Security Management Act (FISMA) 1 requires an\n            annual independent evaluation of the Department of the Treasury\xe2\x80\x99s\n            information security program and practices. To meet FISMA requirements,\n            we contracted with KPMG LLP, an independent certified public accounting\n            firm, to perform the FISMA evaluation of Treasury\xe2\x80\x99s non-Internal Revenue\n            Service (IRS) unclassified systems. KPMG\xe2\x80\x99s work was largely driven by the\n            Office of Management and Budget\xe2\x80\x99s (OMB) FISMA 2010 Reporting\n            Guidelines. Attachment 1 contains KPMG\xe2\x80\x99s report and The Department of\n            the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for\n            Inspectors General (Appendix II of KPMG\xe2\x80\x99s report). The response\n            incorporates our response as well as that of the Treasury Inspector General\n\n\n            1\n                44 U.S.C. \xc2\xa7\xc2\xa7 3541\xe2\x80\x933549.\n\x0cPage 2\n\n\nfor Tax Administration (TIGTA). Attachment 2 contains TIGTA\xe2\x80\x99s stand alone\nevaluation of FISMA compliance for IRS systems.2\n\nBased on the results of KPMG\xe2\x80\x99s audit, those reported by TIGTA, and a\nrelated report by the Government Accountability Office (GAO),3 we\ndetermined that Treasury\xe2\x80\x99s information security program is in place and\ngenerally consistent with FISMA, but improvements are needed.\n\nThe KPMG audit of Treasury\xe2\x80\x99s unclassified systems (except for those of IRS)\nindicated that additional steps are required to ensure that Treasury\xe2\x80\x99s\ninformation security risk management program and practices fully comply\nwith applicable National Institute of Standards and Technology standards and\nguidelines and FISMA requirements. Specifically, KPMG reported that:\n\n    1. Logical and physical account management activities were not\n\n       consistently performed \n\n    2. Outsourcing the information system security officer role created an\n       information technology governance concern at Financial Management\n       System\n    3. Plan of actions and milestones were not updated timely and \n\n       maintained at Financial Management System and Office of the \n\n       Comptroller of the Currency \n\n    4. Security incidents were not reported timely at Bureau of the Public\n       Debt and Alcohol and Tobacco Tax and Trade Bureau\n    5. Reviews of audit logs were not documented at Bureau of Engraving\n       and Printing\n    6. Electronic media destruction process at Financial Crimes Enforcement\n       Network was not fully compliant with its internal policies\n    7. Password settings were not properly configured to lockout for a\n\n       Bureau of the Public Debt system \n\n\nTIGTA reported that IRS was also generally consistent with FISMA\nrequirements. However, TIGTA noted that the IRS information security\nprogram was not fully effective as a result of the conditions identified in\nconfiguration management, security training, plans of action and milestones,\nidentity and access management, continuous monitoring management,\ncontingency planning, and contractor systems.\n\n2\n  We did not review the work performed by TIGTA to evaluate the information security\nprogram and practices of IRS. Our overall conclusions, insofar as they relate to IRS, are\nbased solely on TIGTA\xe2\x80\x99s report (attachment 2). We did, however, coordinate with TIGTA on\nthe scope and methodology, including sample selection, of our respective engagements.\n\n3\n FINANCIAL AUDIT: IRS\xe2\x80\x99s Fiscal Years 2010 and 2009 Financial Statements (GAO-11-142,\ndated November 2010)\n\x0cPage 3\n\n\n\nIn addition, GAO reported a continuing material weakness in IRS\xe2\x80\x99s internal\ncontrol over information security that resulted in IRS\xe2\x80\x99s inability to rely on the\ncontrols embedded in its automated financial management systems to\nprovide reasonable assurance that (1) the financial statements are fairly\nstated in accordance with U.S. generally accepted accounting principles; (2)\nfinancial information management relies on to support day-to-day decision-\nmaking is current, complete, and accurate; and (3) proprietary information\nprocessed by these automated systems is appropriately safeguarded. The\nnew deficiencies identified during fiscal year 2010 and the unresolved\ndeficiencies from prior audits continue to jeopardize the confidentiality,\nintegrity, and availability of information processed by IRS\xe2\x80\x99s key systems, and\nincreased the risk of material misstatement of financial reporting.\n\nIf you have any questions or require further information, you may contact me\nat (202) 927-5400 or Joel A. Grover, Deputy Assistant Inspector General for\nFinancial Management and Information Technology Audit, at (202) 927-\n5768.\n\nAttachments\n\ncc: \tEdward A. Roback\n     Associate Chief Information Officer\n     Cyber Security\n\x0c            ATTACHMENT 1\n\n       The Department of the Treasury \n\nFederal Information Security Management Act \n\n    Fiscal Year 2010 Performance Audit, \n\n             November 10, 2010 \n\n\x0cThe Department of the Treasury\nFederal Information Security Management Act\nFiscal Year 2010 Performance Audit\n\n\n\n\nNovember 10, 2010\n\n\n\n\nKPMG LLP\n2001 M Street, NW\nWashington, DC 20036\n\x0c                              The Department of the Treasury \n\n      Federal Information Security Management Act Fiscal Year 2010 Performance Audit \n\n\n                                                                Table of Contents \n\n\nFISMA Performance Audit Report\nBACKGROUND .......................................................................................................................................... 3\n\xc2\xa0\n  Federal Information Security Management Act (FISMA) ........................................................................ 3\n\xc2\xa0\n  Federal Standards and Guidelines............................................................................................................. 3\n\xc2\xa0\n  Treasury Bureaus/Offices (Bureaus)......................................................................................................... 4\n\xc2\xa0\n  Treasury Information Security Management Program.............................................................................. 5\n\xc2\xa0\nOBJECTIVE, SCOPE, & METHODOLOGY .............................................................................................. 8\n\xc2\xa0\nOVERALL AUDIT RESULTS .................................................................................................................. 11\n\xc2\xa0\nFINDINGS .................................................................................................................................................. 13\n\xc2\xa0\n  1.\t\xc2\xa0 Logical and Physical Account Management Activities Were Not Consistently Performed ........... 13\n\xc2\xa0\n  2.\t\xc2\xa0 Outsourcing the ISSO Role Created an IT Governance Concern at FMS ...................................... 15\n\xc2\xa0\n  3.\t\xc2\xa0 POA&Ms Were Not Updated Timely and Maintained at FMS and OCC ...................................... 16\n\xc2\xa0\n  4.\t\xc2\xa0 Security Incidents Were Not Reported Timely at BPD and TTB ................................................... 17\n\xc2\xa0\n  5.\t\xc2\xa0 Reviews of Audit Logs Were Not Documented at BEP ................................................................. 18\n\xc2\xa0\n  6.\t\xc2\xa0 Electronic Media Destruction Process at FinCEN Was Not Fully Compliant with Its Internal \n\n       Policies ............................................................................................................................................ 18\n\xc2\xa0\n  7.\xc2\xa0 Password Settings Were Not Properly Configured to Lockout for a BPD System ......................... 19\n\xc2\xa0\nMANAGEMENT RESPONSE TO DRAFT REPORT .............................................................................. 20\n\xc2\xa0\n\nAppendices\nAPPENDIX I \xe2\x80\x93 STATUS OF PRIOR YEAR FINDINGS ......................................................................... 32\n\xc2\xa0\nAPPENDIX II \xe2\x80\x93 THE DEPARTMENT OF THE TREASURY\xe2\x80\x99S CONSOLIDATED RESPONSE TO \n\nOMB\xe2\x80\x99S FISMA 2010 QUESTIONS FOR INSPECTORS GENERAL ..................................................... 35\n\xc2\xa0\nAPPENDIX III \xe2\x80\x93 APPROACH TO SELECTION OF SUBSET OF SYSTEMS....................................... 49\n\xc2\xa0\nAPPENDIX IV \xe2\x80\x93 SELECTED SECURITY CONTROL CLASSES AND FAMILIES ............................ 51\n\xc2\xa0\nAPPENDIX V \xe2\x80\x93 LIST OF ACRONYMS ................................................................................................... 56\n\xc2\xa0\n\x0c                                  KPMG LLP\n                                  2001 M Street, NW\n                                  Washington, DC 20036-3389\n\n\n\n\nHonorable Eric Thorson\nInspector General, Department of the Treasury\n1500 Pennsylvania Avenue, N.W.\nRoom 4436\nWashington, DC 20220\n\n\nRe: The Department of the Treasury Federal Information Security Management Act Fiscal Year\n    2010 Performance Audit\n\nDear Mr. Thorson:\n\nThis report presents the results of our independent evaluation of the Department of the Treasury\xe2\x80\x99s\ninformation security program and practices. The Federal Information Security Management Act of 2002\n(FISMA) requires federal agencies, including the Department of the Treasury, to have an annual\nindependent evaluation performed of their information security programs and practices and to report the\nresults of the evaluations to the Office of Management and Budget (OMB). FISMA requires that the\nindependent evaluation be performed by the agency Inspector General (IG) or an independent external\nauditor as determined by the IG. The Department of the Treasury Office of Inspector General (OIG)\ncontracted with KPMG LLP (KPMG) to conduct this independent evaluation (referred to herein as a\n\xe2\x80\x9cperformance audit\xe2\x80\x9d).\n\nWe conducted our performance audit in accordance with generally accepted government auditing\nstandards (GAGAS) issued by the Comptroller General of the United States (U.S.). Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objective. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on our audit\nobjective.\n\nThe objective of the performance audit was to determine the effectiveness of the Department of the\nTreasury\xe2\x80\x99s information security program and practices for its unclassified systems, including the\nDepartment of the Treasury\xe2\x80\x99s compliance with FISMA and related information security policies,\nprocedures, standards, and guidelines. We based our work, in part, on an assessment of fifteen (15)\ninformation systems across thirteen (13) Treasury components. The scope of our work did not include the\nInternal Revenue Service (IRS), as the component was audited by the Treasury Inspector General for Tax\nAdministration (TIGTA). Additional details regarding the scope of our performance audit are included in\nthe Objective, Scope, and Methodology section of this report.\n\nBased on our audit work, we concluded that the U.S. Department of the Treasury\xe2\x80\x99s information security\nprogram for its non-IRS bureaus was generally consistent with the FISMA legislation, OMB information\nsecurity requirements, and related information security standards published by the National Institute of\n\n\n\n\n                                   KPMG LLP is a Delaware limited liability partnership,\n                                   the U.S. member firm of KPMG International Cooperative\n                                   (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cStandards and Technology (NIST). While the information security program was generally consistent with\nthe FISMA legislation, the program was not fully effective as reflected in the findings identified in the\nfollowing areas:\n\n       1.\t Logical and Physical Account Management Activities Were Not Consistently Performed\n       2.\t Outsourcing the Information System Security Officer (ISSO) Role Created an Information\n           Technology (IT) Governance Concern at Financial Management System (FMS)\n       3.\t Plan of Action and Milestones (POA&Ms) Were Not Updated Timely and Maintained at FMS\n           and Office of the Comptroller of the Currency (OCC)\n       4.\t Security Incidents Were Not Reported Timely at Bureau of the Public Debt (BPD) and\n           Alcohol and Tobacco Tax and Trade Bureau (TTB)\n       5.\t Reviews of Audit Logs Were Not Documented at Bureau of Engraving and Printing (BEP)\n       6.\t Electronic Media Destruction Process at Financial Crimes Enforcement Network (FinCEN)\n           Was Not Fully Compliant with Its Internal Policies\n       7.\t Password Settings Were Not Properly Configured to Lockout for a BPD System\n\nWe have made 29 recommendations related to these control deficiencies that, if addressed by\nmanagement, will strengthen the respective bureaus, offices, and the Department\xe2\x80\x99s information security\nprogram.\n\nThis performance audit did not constitute an audit of financial statements in accordance with GAGAS.\nWe were not engaged to, and did not, render an opinion on the Department of the Treasury\xe2\x80\x99s internal\ncontrols over financial reporting or over financial management systems (for purposes of OMB Circular\nNo. A-127, Financial Management Systems\xe2\x80\x93Revised, dated January 9, 2009). We tested controls that\nwere implemented as of June 30, 2010. We caution that projecting the results of our audit to future\nperiods is subject to the risks that controls may become inadequate because of changes in conditions or\nbecause compliance with controls may deteriorate.\n\nAppendix I, Status of Prior Year Findings, summarizes the U.S. Department of the Treasury\xe2\x80\x99s progress in\naddressing prior year recommendations. Appendix II, provides The Department of the Treasury\xe2\x80\x99s\nConsolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General. Appendix III,\nApproach to Selection of Subset of Systems, describes how we selected systems for review. Appendix IV,\nSelected Security Control Classes and Families, describes the selected NIST Special Publication 800-53\nsecurity controls reviewed for each of the selected systems, and Appendix V contains a list of acronyms\nused in this report.\n\nSincerely,\n\n\n\n\nNovember 10, 2010\n\n\n\n\n                                                                                                    Page 2\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\nBACKGROUND \n\nFederal Information Security Management Act (FISMA)\n\n\nTitle III of the E-Government Act of 2002 (the Act), commonly referred to as the Federal Information\nSecurity Management Act (FISMA), focuses on improving oversight of federal information security\nprograms and facilitating progress in correcting agency information security weaknesses. FISMA requires\nfederal agencies to develop, document, and implement an agency-wide information security program that\nprovides security for the information and information systems that support the operations and assets of the\nagency, including those provided or managed by another agency, contractor, or other source. The Act\nassigns specific responsibilities to agency heads and Inspectors General (IGs) in complying with\nrequirements of FISMA. The Act is supported by Office of Management and Budget (OMB), agency\nsecurity policy, and risk-based standards and guidelines published by National Institute of Standards and\nTechnology (NIST) related to information security practices.\n\nUnder FISMA, agency heads are responsible for providing information security protections\ncommensurate with the risk and magnitude of harm resulting from the unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information and information systems. Agency heads\nare also responsible for complying with the requirements of FISMA and related OMB policies and NIST\nprocedures, standards, and guidelines. FISMA directs federal agencies to report annually to the OMB\nDirector, the Comptroller General, and selected congressional committees on the adequacy and\neffectiveness of agency information security policies, procedures, and practices and compliance with\nFISMA. In addition, FISMA requires agencies to have an annual independent evaluation of their\ninformation security programs and practices performed by the agency IG or an independent external\nauditor as determined by the IG.\n\nFederal Standards and Guidelines\n\nOMB has directed agencies to use NIST Federal Information Processing Standards (FIPS) Publication\n199, Security Categorization of Federal Information and Information Systems, to apply a security\ncategorization to an information system. This rating is assigned to an information system based on the\nagency\xe2\x80\x99s assessment of the system\xe2\x80\x99s confidentiality, integrity, and availability. NIST FIPS Publication\n199 and NIST Special Publication 800-60 Revision 1, Guide to Mapping Types of Information and\nInformation Systems to Security Categories (2 Volumes), outline a framework that requires agencies to\nevaluate and categorize the potential magnitude of harm that a breach of security associated with specific\ninformation and information systems could have on agency operations and assets. The framework\nprovides agencies with standards and guidance on how agencies should group information for evaluation,\nevaluate and categorize information and information systems, and document the process.\n\nOMB has further directed that agencies use NIST FIPS Publication 200, Minimum Security Requirements\nfor Federal Information and Information Systems, in order to apply a security controls baseline to the\ninformation system based on the FIPS Publication 199 categorization. FIPS Publication 200 specifies the\nminimum security requirements for the information system and provides a risk-based process for\ndetermining the minimum security controls necessary for the information system. FIPS Publication 200\nspecifies seventeen (17) controls families that must be addressed when implementing security controls to\nadequately mitigate risk to an acceptable level.\n\nNIST Special Publication 800-53 Revision 2, Recommended Security Controls for Federal Information\nSystems, further defines the seventeen (17) controls families outlined in FIPS Publication 200 by defining\n\n\n\n                                                                                                     Page 3\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\nthe minimum set of security controls for non-national security systems of all Federal agencies within each\nof the controls families. NIST Special Publication 800-53 Revision 2 groups the seventeen (17) controls\nfamilies into three (3) control classes (management, operational, and technical security controls).\nManagement controls are the safeguards or countermeasures, related to an information system, that focus\non the management of risk and system security. Operational controls are the safeguards and\ncountermeasures for an information system that are primarily implemented and executed by individuals\n(as opposed to information systems). Technical controls are the safeguards or countermeasures for an\ninformation system that are primarily implemented and executed by the system through mechanisms\ncontained in the hardware, software, or firmware components of the system. Table 1 details the security\ncontrol classes and families.\n\n                        Table 1: Selected Security Control Classes and Families\n              Security Control Class                   Security Control Family\n                                         Risk Assessment\n                                         Planning\n            Management                   System and Services Acquisition\n                                         Certification, Accreditation, and Security\n                                         Assessments\n                                         Physical and Environmental Protection\n                                         Contingency Planning\n                                         Configuration Management\n            Operational\n                                         Maintenance\n                                         Media Protection\n                                         Identification and Authentication\n                                         Access Control\n            Technical                    Audit and Accountability\n                                         System and Communications Protection\n            Source: NIST Security Standards (see Appendix IV)\n\n\nTreasury Bureaus/Offices (Bureaus)\n\nTreasury is comprised of fourteen (14) operating bureaus, including:\n\n1.\t Alcohol and Tobacco Tax and Trade Bureau (TTB) \xe2\x80\x93 Responsible for enforcing and administering\n    laws covering the production, use, and distribution of alcohol and tobacco products. TTB also collects\n    excise taxes for firearms and ammunition.\n2.\t Bureau of Engraving and Printing (BEP) \xe2\x80\x93 Designs and manufactures United States (U.S.)\n    currency (paper), securities, and other official certificates and awards.\n3.\t Bureau of the Public Debt (BPD) \xe2\x80\x93 Borrows the money needed to operate the Federal government.\n    It administers the public debt by issuing and servicing U.S. Treasury marketable, savings, and special\n    securities.\n4.\t Community Development Financial Institution (CDFI) Fund \xe2\x80\x93 Created to expand the availability\n    of credit, investment capital, and financial services in distressed urban and rural communities.\n5.\t Departmental Offices (DO) \xe2\x80\x93 Primarily responsible for policy formulation. The DO is composed of\n    divisions headed by Assistant Secretaries, some of whom report to Under Secretaries.\n\n\n\n\n                                                                                                    Page 4\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n6.\t Financial Crimes Enforcement Network (FinCEN) \xe2\x80\x93 Supports law enforcement investigative\n    efforts and fosters interagency and global cooperation against domestic and international financial\n    crimes. It also provides U.S. policy makers with strategic analyses of domestic and worldwide trends\n    and patterns.\n7.\t Financial Management Service (FMS) \xe2\x80\x93 Receives and disburses all public monies, maintains\n    government accounts, and prepares daily and monthly reports on the status of government finances.\n8.\t Internal Revenue Service (IRS) \xe2\x80\x93 Responsible for determining, assessing, and collecting internal\n    revenue in the U.S.\n9.\t Office of the Comptroller of the Currency (OCC) \xe2\x80\x93 Charters, regulates, and supervises national\n    banks to ensure a safe, sound, and competitive banking system that supports the citizens,\n    communities, and economy of the United States.\n10. Office of the Inspector General (OIG) \xe2\x80\x93 Conducts and supervises audits and investigations of\n    Treasury programs and operations. The OIG also keeps the Secretary and the Congress fully and\n    currently informed about problems, abuses, and deficiencies in Treasury programs and operations.\n11. Office of Thrift Supervision (OTS) \xe2\x80\x93 The primary regulator of all Federal and many state-chartered\n    thrift institutions, which include savings banks and savings and loan associations.\n12. United States Mint (Mint) \xe2\x80\x93 Designs and manufactures domestic, bullion, and foreign coins as well\n    as commemorative medals and other numismatic items. The Mint also distributes U.S. coins to the\n    Federal Reserve banks as well as maintains physical custody and protection of our nation\xe2\x80\x99s silver and\n    gold assets.\n13. Special Inspector General for the Troubled Asset Relief Program (SIGTARP) \xe2\x80\x93 Has the\n    responsibility to conduct, supervise and coordinate audits and investigations of the purchase,\n    management, and sale of assets under the Troubled Asset Relief Program (TARP). SIGTARP\xe2\x80\x99s goal\n    is to promote economic stability by assiduously protecting the interests of those who fund the TARP\n    programs (i.e., the American taxpayers).\n14. Treasury Inspector General for Tax Administration (TIGTA) \xe2\x80\x93 Conducts and supervises audits\n    and investigations of IRS programs and operations. The TIGTA also keeps the Secretary and the\n    Congress fully and currently informed about problems, abuses, and deficiencies in IRS programs and\n    operations.\n\nThe scope of KPMG\xe2\x80\x99s 2010 FISMA audit did not include the IRS.\n\nTreasury Information Security Management Program\n\nTreasury Office of the Chief Information Officer (OCIO)\n\nThe Treasury Chief Information Officer (TCIO) is responsible for providing Treasury-wide leadership\nand direction for all areas of information and technology management, as well as the oversight of a\nnumber of information technology (IT) programs. Among these programs is Cyber Security, which has\nresponsibility for the implementation and management of Treasury-wide IT security programs and\npractices. Through its mission, the Treasury Office of the Chief Information Officer (OCIO) Cyber\nSecurity Program develops and implements IT security policies and provides policy compliance oversight\nfor both unclassified and classified systems managed by each of Treasury\xe2\x80\x99s bureaus. The OCIO, Cyber\nSecurity Program\xe2\x80\x99s mission focuses on the following areas:\n\n1.\t Cyber Security Policy and Program Performance Measurement \xe2\x80\x93 Manages and coordinates the\n    Departmental cyber security policy for sensitive (unclassified) systems throughout the Department,\n    assuring these policies and requirements are updated to address today\xe2\x80\x99s threat environment, and\n    conducts program performance, progress monitoring and analysis.\n\n\n                                                                                                    Page 5\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n2.\t Cyber Security FISMA Performance and Technical Review \xe2\x80\x93 Provides assistance, conducts\n    reviews, and tracks metrics to enhance security performance, thereby strengthening the overall cyber\n    security posture of the Department.\n3.\t Vulnerability Analysis, Configuration, and Planning \xe2\x80\x93 Analyzes current and emerging\n    technologies and directs the Department\xe2\x80\x99s strategies and plans to mitigate cyber security risks from\n    configuration and other vulnerabilities.\n4.\t Cyber Critical Infrastructure Protection (CIP) \xe2\x80\x93 Implements cyber-related requirements of\n    Homeland Security Presidential Directive No. 7, Critical Infrastructure Identification, Prioritization,\n    and Protection, focusing on the protection of Department-owned cyber assets.\n5.\t Treasury Computer Security Incident Response Capability (TCSIRC) \xe2\x80\x93 Leads the TCSIRC and\n    provides Department-wide policy to the operation of each bureau\xe2\x80\x99s Computer Security Incident\n    Response Center (CSIRCs). It also facilitates incident reporting with external reporting entities and\n    conducts performance monitoring of CSIRCs within the Department.\n6.\t National Security Systems \xe2\x80\x93 Manages and coordinates the Department-wide program to address the\n    cyber security requirements of national security systems through the development of policy and\n    program or technical security performance reviews.\n7.\t Cyber Security Sub-Council (CSS) of the TCIO Council \xe2\x80\x93 Serves as the formal means for gaining\n    bureau input and advice as new policies are developed, enterprise-wide activities are considered, and\n    performance measures are developed and implemented.\n\nThe TCIO has tasked the Associate Chief Information Officer for Cyber Security (ACIOCS) with the\nresponsibility of managing and directing the OCIO\xe2\x80\x99s Cyber Security program, as well as ensuring\ncompliance with statutes, regulations, policies, and guidance. The ACIOCS and the Cyber Security\nProgram have established Treasury Directive Publication (TD P) 85-01, Treasury Information\nTechnology Security Program, as the Treasury-wide IT security policy to provide for information security\nfor all information and information systems that support the mission of the Treasury, including those\noperated by another Federal agency or contractor on behalf of Treasury. In addition, as OMB periodically\nreleases updates/clarifications of FISMA or as NIST releases updates to publications, the ACIOCS and\nthe Cyber Security Program have responsibility to interpret and release updated policy for Treasury. The\nACIOCS and the Cyber Security Program are also responsible for promoting and coordinating a\nTreasury-wide IT security program, as well as monitoring and evaluating the status of Treasury\xe2\x80\x99s IT\nsecurity posture and compliance with statutes, regulations, policies, and guidance. Lastly, the ACIOCS\nhas the responsibility of managing Treasury\xe2\x80\x99s IT CIP program for Treasury information technology\nassets.\n\nBureau Chief Information Officers (CIOs)\n\nOrganizationally, the Treasury has established bureau-level and office Chief Information Officers (CIOs)\nunder the OCIO. The CIOs are responsible for managing the IT security program for their bureau, as well\nas advising the bureau head on significant issues related to the bureau IT security program. The CIOs also\nhave the responsibility for overseeing the development of procedures that comply with Treasury OCIO\npolicy and guidance and federal statutes, regulations, policy, and guidance. The bureau Chief Information\nSecurity Officers (CISO) are tasked by their respective CIOs to serve as the central point of contact for\nthe bureau\xe2\x80\x99s IT security program, as well as to develop and oversee the bureau\xe2\x80\x99s IT security program.\nThis includes the development of policies, procedures, and guidance required to implement and monitor\nthe bureau IT security program.\n\n\n\n\n                                                                                                      Page 6\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\nTreasury \xe2\x80\x93 Bureau OCIO Collaboration\n\nThe Treasury OCIO has established the Treasury CIO CSS, which is co-chaired by the ACIOCS and a\nBureau CIO. The CSS serves as a mechanism for obtaining bureau-level input and advises on new\npolicies, Treasury-wide IT security activities, and performance measures. The CSS also provides a means\nfor sharing IT security-related information among bureaus. Included on the CSS are representatives from\nthe OCIO, bureau CIO organizations, as well as the OIG \xe2\x80\x93 Office of IT Audits and TIGTA \xe2\x80\x93 Office of\nAudits.\n\n\n\n\n                                                                                                  Page 7\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\nOBJECTIVE, SCOPE, & METHODOLOGY\n\nThe objectives for this performance audit were to determine the effectiveness of Treasury\xe2\x80\x99s information\nsecurity programs and practices as of June 30, 2010, and to determine whether non-IRS Treasury bureaus\nhad implemented:\n\n   \xef\x82\xb7     An information security program, consisting of policies, procedures, and security controls\n         consistent with the FISMA legislation\n   \xef\x82\xb7     The security controls catalog contained in NIST SP 800-53, Revision 2, Recommended Security\n         Controls for Federal Information Systems.\n\nWe conducted our performance audit in accordance with generally accepted government auditing\nstandards (GAGAS) issued by the Comptroller General of the United States (U.S.). Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objective.\n\nTo accomplish our objectives, we evaluated security controls in accordance with applicable legislation,\nPresidential directives, OMB Memorandum 10-15, FY 2010 Reporting Instructions for Federal\nInformation Security Management Act and Agency Privacy Management, and NIST standards and\nguidelines as outlined in the Criteria section. We reviewed the Treasury information security program\nfrom both the Department-level perspective for Treasury-wide program level controls and the Bureau-\nlevel implementation perspective. We considered each area above to reach an overall conclusion\nregarding Treasury\xe2\x80\x99s information security program and practices.\n\nKPMG took a phased approach to satisfy the audit\xe2\x80\x99s objective. Specifically, the following three phases\nwere employed:\n\n    I.   Assessment of Department-Level Compliance\n\n    To gain an overall enterprise-level understanding, we assessed management, policies, and guidance\n    for the overall Treasury-wide information security program per requirements defined in FISMA and\n    OMB Memorandum 10-15, NIST Special Publication 800-53, as well as Treasury guidelines\n    developed in response to FISMA. This included program controls applicable to information security\n    governance, certification and accreditation, security configuration management, incident response and\n    reporting, security training, plan of action and milestones (POA&M), remote access, account and\n    identity management, continuous monitoring, contingency planning, and contractor systems.\n\n    II. Assessment of Bureau-Level Compliance\n\n    To gain an overall bureau-level understanding, we assessed the implementation of the guidance for\n    the 13 bureau and office-wide information security programs per requirements defined in FISMA and\n    OMB Memorandum 10-15, NIST Special Publication 800-53, as well as Treasury guidelines\n    developed in response to FISMA. This included program controls applicable to information security\n    governance, certification and accreditation, security configuration management, incident response and\n    reporting, security training, POA&M, remote access, account and identity management, continuous\n    monitoring, contingency planning, and contractor systems.\n\n\n\n\n                                                                                                     Page 8\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n    III. Assessment of the Implementation of Select Security Controls from the NIST SP 800-53 \n\n         Revision 2\n\n\n    To gain an overall understanding of how effective the bureaus implemented information security\n    programs at the system level, we assessed the implementation of a selection of security controls from\n    the NIST SP 800-53 Revision 2 for a representative subset of Treasury information systems (see\n    Appendix IV).\n\nTo conclude on the audit\xe2\x80\x99s objectives, our scope included evaluating the information security practices\nand policies established by the Treasury OCIO. In addition, we evaluated the information security\npractices, policies, and procedures in use across the thirteen (13) bureaus of the Treasury, excluding the\nIRS.\n\nWe also tested a representative subset of fifteen (15) information systems from a total population of 112\nnon-IRS major applications and general support systems as of April 14, 2010.1 We tested the fifteen (15)\ninformation systems to determine whether bureaus were effective in implementing Treasury\xe2\x80\x99s security\nprogram and meeting the FIPS 200 minimum security standards to protect information and information\nsystems. Appendix III, Approach to Selection of Subset of Systems, provides additional details regarding\nour system selection. The subset of systems encompassed systems managed and operated by twelve (12)\nof 14 Treasury bureaus, excluding IRS and TIGTA2.\n\nOur criteria for selecting security controls within each system were based on the following:\n   \xef\x82\xb7 Controls that were shared across a number of information systems, such as common controls.\n   \xef\x82\xb7 Controls that were likely to change over time (i.e. volatile) and require human intervention.\n   \xef\x82\xb7 Controls that were identified in prior audits as requiring management\xe2\x80\x99s attention.\n\nOther Considerations\n\nIn performing our control evaluations, we interviewed key Treasury OCIO personnel who had significant\ninformation security responsibilities as well as personnel across the thirteen (13) non-IRS bureaus. We\nalso evaluated Treasury and bureaus\xe2\x80\x99 policies, procedures, and guidelines. Lastly, we evaluated selected\nsecurity-related documents and records, including certification and accreditation packages, configuration\nassessment results, and training records.\n\nWe performed our fieldwork at Treasury\xe2\x80\x99s headquarters offices in Washington, D.C., and bureau\nlocations in Washington, D.C.; Hyattsville, Maryland; McLean, Virginia; Parkersburg, West Virginia;\nand Newark, Delaware during the period of April 26, 2010 through September 30, 2010. During our\nperformance audit, we met with Treasury management to discuss our preliminary conclusions.\n\n\n\n\n1\n  A representative subset of information systems refers to KPMG\xe2\x80\x99s approach of stratifying the population of non-IRS Treasury\n   information system and selecting an information system from each Treasury bureau, excluding IRS and TIGTA, rather than\n   selecting a random sample of information systems that might exclude a Treasury bureau.\n2\n  A decision was made to inspect only one (1) OIG system every year.\n\n\n\n                                                                                                                        Page 9\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\nCriteria\n\nOur approach to this FISMA performance audit was based on federal information security guidance\ndeveloped by NIST and OMB. NIST Special Publications provide guidelines that are considered essential\nto the development and implementation of agencies\xe2\x80\x99 security programs.3 The following is a listing of the\ncriteria used in the performance of the Fiscal Year (FY) 2010 FISMA performance audit:\n\n\xef\x82\xb7\t OMB Circular A-130, Management of Federal Information Resources\n\n\xef\x82\xb7\t NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and\n   Information Systems\n\n\xef\x82\xb7\t NIST FIPS Publication 200, Minimum Security Requirements for Federal Information and\n   Information Systems\n\n\xef\x82\xb7\t NIST Special Publications:\n   o\t 800-16, Information Technology Security Training Requirements: A Role- and Performance-\n      Based Model\n   o\t 800-18 Revision 1, Guide for Developing Security Plans for Information Technology Systems\n   o\t 800-30, Risk Management Guide for Information Technology Systems\n   o\t 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems\n   o\t 800-39, Managing Risk from Information Systems: An Organizational Perspective\n   o\t 800-34, Contingency Planning Guide for Information Technology Systems\n   o\t 800-53 Revision 2, Recommended Security Controls for Federal Information Systems\n   o\t 800-53A, Guide for Assessing the Security Controls in Federal Information Systems\n   o\t 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories\n   o\t 800-61, Computer Security Incident Handling Guide\n   o\t 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists\n      Users and Developers\n\n\xef\x82\xb7\t OMB Memoranda\n   o\t 04-04, E-Authentication Guidance for Federal Agencies\n   o\t 04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act\n   o\t 07-11, Implementation of Commonly Accepted Security Configurations for Windows Operating\n      Systems\n   o\t 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable \n\n      Information\n\n   o\t 07-18, Ensuring New Acquisitions Include Common Security Configurations\n   o\t 08-22, Guidance on the Federal Desktop Core Configuration (FDCC)\n   o\t 10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and\n      Agency Privacy Management\n\n\xef\x82\xb7\t Treasury Guidance\n   o\t TD P 85-01, Treasury Information Technology Security Program\n\n3\n    Note (per OMB instructions): While agencies are required to follow NIST standards and guidance in accordance with OMB\n    policy, there is flexibility within NIST\xe2\x80\x99s guidance documents in how agencies apply the guidance. However, NIST Special\n    Publication 800-53 is mandatory because FIPS 200 specifically requires it. Unless specified by additional implementing policy\n    by OMB, guidance documents published by NIST generally allow agencies latitude in their application. Consequently, the\n    application of NIST guidance by agencies can result in different security solutions that are equally acceptable and compliant\n    with the guidance.\n\n\n\n                                                                                                                         Page 10\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\nOVERALL AUDIT RESULTS\n\nWe concluded that the Department\xe2\x80\x99s information security program for its non-IRS bureaus was generally\nconsistent4 with the FISMA legislation and related information security policies, standards, and\nguidelines. However, the program was not fully effective, resulting in the identification of the following\ncontrol deficiencies:\n\n           1.\t Logical and Physical Account Management Activities Were Not Consistently Performed\n           2.\t Outsourcing the Information System Security Officer (ISSO) Role Created an Information\n               Technology (IT) Governance Concern at Financial Management System (FMS)\n           3.\t Plan of Action and Milestones (POA&Ms) Were Not Updated Timely and Maintained at FMS\n               and Office of the Comptroller of the Currency (OCC)\n           4.\t Security Incidents Were Not Reported Timely at Bureau of the Public Debt (BPD) and\n               Alcohol and Tobacco Tax and Trade Bureau (TTB)\n           5.\t Reviews of Audit Logs Were Not Documented at Bureau of Engraving and Printing (BEP)\n           6.\t Electronic Media Destruction Process at Financial Crimes Enforcement Network (FinCEN)\n               Was Not Fully Compliant with Its Internal Policies\n           7.\t Password Settings Were Not Properly Configured to Lockout for a BPD System\n\nWe have made 29 recommendations that, if addressed, will strengthen the bureaus, offices, and the\nDepartment\xe2\x80\x99s information security program.\n\n       1.\t Logical and Physical Account Management Activities Were Not Consistently Performed\n\n       We found access control review issues with certain bureaus and determined the need for additional\n       attention department-wide. We identified control deficiencies in account management, specifically,\n       the review of user access on an annual basis and the timely disabling of inactive user accounts. In\n       addition, we noted deficiencies related to the review and configuration of physical access. When\n       controls are ineffective, data and the operational status of the impacted systems could have an adverse\n       impact on the mission, operations, and data of the bureau.\n\n       2.\t Outsourcing the Information System Security Officer (ISSO) Role Created an IT \n\n           Governance Concern at FMS \n\n\n       FMS outsourced the ISSO position to a financial agent without first providing the ISSO the network\n       connectivity to access Trusted Agent FISMA (TAF) and the bureau\xe2\x80\x99s Intranet site containing security\n       policy and security templates. Without the network connectivity, the individual could not perform all\n       the required ISSO duties outlined in their ISSO appointment letter. In addition, the transfer of the\n       ISSO function from an FMS employee to an employee of the financial agent created an additional\n       concern regarding the reporting relationship of the ISSO to his supervisor, the financial agent\xe2\x80\x99s\n       operations manager. This reporting relationship may limit FMS\xe2\x80\x99s ability to receive objective,\n       independent reporting and may prevent the ISSO from fulfilling his duties.\n\n       3.\t POA&Ms Were Not Updated Timely and Maintained at FMS and OCC\n\n       We noted FMS and OCC did not include all vulnerabilities or timely submit and effectively track\n       items on their POA&Ms. Without a centralized list of all known security weaknesses, OCIO may not\n\n\n4\n    TIGTA will provide a separate report evaluating the IRS\xe2\x80\x99s implementation of the U.S. Treasury\xe2\x80\x99s information security program.\n\n\n\n                                                                                                                         Page 11\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n   be able to identify reoccurring security issues across multiple systems that could be remediated by a\n   department-wide strategic corrective action plan.\n\n   4.\t Security Incidents Were Not Reported Timely at BPD and TTB\n\n   We noted an Incident Response and Reporting deficiency at BPD and TTB that did not timely report\n   incidents to the TCSIRC. When security incidents are not reported timely, there is an increased risk\n   that sensitive information, including personally identifiable information, could be divulged and a loss\n   of public trust could occur.\n\n   5.\t Reviews of Audit Logs Were Not Documented at BEP\n\n   We noted a Continuous Monitoring deficiency at BEP because the bureau did not document reviews\n   of audit logs. When this activity is performed, there is less risk that unauthorized activity and access\n   can go undetected. At the close of our audit, we noted that the bureau was developing standard\n   operating procedures to review audit logs on a routine basis.\n\n   6.\t Electronic Media Destruction Process at FinCEN Was Not Fully Compliant with Its Internal\n       Policies\n\n   FinCEN was not fully compliant with its media sanitization process by leaving boxes containing old\n   computer hard drives in an area outside the authorized custodian\xe2\x80\x99s cubicle within the secured facility\n   and not maintaining an inventory of these devices to ensure they were destroyed.\n\n   7.\t Password Settings Were Not Properly Configured to Lockout for a BPD System\n\n   BPD had invalid password lockout configuration settings on a network device. Upon notification by\n   KPMG auditors, the settings were immediately corrected.\n\nOur performance audit of the Department\xe2\x80\x99s information security program identified 29 recommendations\nthat the bureaus, offices, and the Department should address to strengthen their information security\nmanagement programs. The Findings section of this report presents the detailed findings and associated\nrecommendations. In addition, we evaluated all prior year findings from the FY 2009 FISMA Evaluation\nand determined that the bureaus implemented all recommendations, with the exception of Prior Year\nFinding #5 for POA&Ms, which was reissued as FY 2010 Finding #3. See Appendix I, Status of Prior\nYear Findings, for additional details.\n\n\n\n\n                                                                                                      Page 12\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\nFINDINGS\n\n1.\t Logical and Physical Account Management Activities Were Not Consistently Performed\n\nThe audit identified an inconsistent implementation of account management and physical access security\ncontrols at six (6) bureaus including the BEP, DO, FinCEN, OCC, OIG, and the OTS. This finding\nindicated that the Treasury OCIO had not provided sufficient oversight to enforce and monitor\ncompliance with Treasury and NIST identity and access management standards and guidelines. KPMG\nnoted the following:\n\n1.\t Account Management activities were not consistently performed as required by the TD P 85-01,\n    Treasury Information Technology Security Program, and bureau-specific policies at five (5) bureaus\n    \xef\x82\xb7 BEP did not document its review of user accounts for the selected system in accordance with their\n       system security plan.\n    \xef\x82\xb7 The DO system had user and administrator accounts that had been inactive for over ninety (90)\n       days and had not been disabled. These accounts are created and maintained by the OCIO, who\n       uses the system for performance of their Treasury-wide FISMA oversight role.\n    \xef\x82\xb7 The OCC system did not have an automated control in place to automatically deactivate users\xe2\x80\x99\n       accounts after the bureau-defined period of inactivity.\n    \xef\x82\xb7 The OIG systems had user and administrator accounts that had been inactive for over ninety (90)\n       days and had not been disabled.\n    \xef\x82\xb7\t The periodic review of the OTS application users\xe2\x80\x99 access did not include reviewing users\xe2\x80\x99\n       privileges within the application in order to determine if they were appropriate based on users\xe2\x80\x99\n       roles at the OTS. The review of access only had accessed whether users were active employees at\n       the organization.\n2.\t Physical Access to restricted areas was not properly reviewed and administered as required by the TD\n    P 85-01, Treasury Information Technology Security Program, and bureau-specific policies at two (2)\n    bureaus\n    \xef\x82\xb7 Physical access to the FinCEN data center was not reviewed annually and access approval forms\n       were not maintained.\n    \xef\x82\xb7 The OIG Local Area Network (LAN) room\xe2\x80\x99s access list was not reviewed annually and users,\n       who no longer need access, were not removed in a timely manner.\n\nThe above control deficiencies shared a common cause that the respective bureau or office did not\nappropriately review user access and disable or delete unnecessary access. By not providing sufficient\noversight to ensure that all bureaus have followed Treasury and NIST requirements for the design,\nimplementation, and testing of security controls, the Treasury OCIO may not be able to fulfill its\noversight responsibilities in accordance with TD P 85-01. This could lead to potential weaknesses of\nlogical and physical access of information systems across the entire Department. By not implementing a\nperiodic review of all user and administrator accounts\xe2\x80\x99 inactivity and disabling the accounts according to\npolicy, there is an increased risk that users could gain or retain unauthorized access and/or perform\nunauthorized transactions within their respective systems. By not implementing the periodic review of all\nusers\xe2\x80\x99 physical access to their bureaus\xe2\x80\x99 IT facilities, there is an increased risk that unauthorized users\ncould obtain physical access to secure areas they were not authorized to access.\n\n\n\n\n                                                                                                    Page 13\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\nWe recommend that OCIO management:\n1.\t Provide sufficient oversight5 by the Treasury OCIO Cyber Security Program over the NIST Special\n    Publication 800-53 security controls around Account Management, Physical Access Authorization,\n    and Physical Access Control to ensure that the bureaus implement these controls. This can be\n    accomplished by reviewing the implementation of these controls during the next OCIO review at each\n    bureau.\n2.\t Ensure administrators for the reviewed DO system review user accounts and disable inactive accounts\n    in accordance with TD P 85-01 (as a minimum) and any applicable bureau policy.\n3.\t Review administrator accounts for inactivity on a quarterly basis and disable accounts per the TD P\n    85-01 for the reviewed DO system.\n4.\t Train the reviewed DO system\xe2\x80\x99s administrators on how to review the accounts of the users assigned to\n    their respective bureaus on a quarterly basis and disable the accounts that exceed ninety (90) days of\n    inactivity.\n\nWe recommend that the BEP management:\n5.\t Perform and document user access reviews for their system in accordance with their system security\n    plan.\n\nWe recommend that FinCEN management:\n6.\t Perform review and validation of physical access to restricted areas, annually.\n7.\t Document and approve all employees\xe2\x80\x99 physical access requirements.\n8.\t Document and approve the door \xe2\x80\x9czone\xe2\x80\x9d configuration of the physical access control system.\n9.\t Develop a documented procedure for the approval, administration, review, and validation of access to\n    restricted areas.\n\nWe recommend that OCC management:\n10. Develop and implement an automated means to disable inactive user accounts from the reviewed\n    system after sixty (60) days for Federal employees and thirty (30) days for contractors.\n\nWe recommend that OIG management:\n11. Ensure domain user accounts are reviewed for inactivity on an annual basis and domain administrator\n    accounts are reviewed for inactivity on a semiannual basis, and any accounts that exceed ninety (90)\n    days of inactivity are disabled.\n12. Develop policies and procedures and document them in the system security plan for the annual review\n    of OIG LAN room access.\n13. Conduct a review of users\xe2\x80\x99 access to the OIG LAN room annually and remove access privileges for\n    those individuals that do not need access.\n\n\n\n5\n    The OCIO does not provide oversight over the OIG or TIGTA to preserve the independence of the offices.\n\n\n\n                                                                                                             Page 14\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\nWe recommend that OTS management:\n14. Develop and implement a training program that outlines how the six-month user privileges review\n    should be performed.\n15. Develop and implement a mechanism to track completion of the six-month user privileges review.\n\n\n2. Outsourcing the ISSO Role Created an IT Governance Concern at FMS\n\nFMS transferred the ISSO role from a government employee to a bank employee for an outsourced\ninformation system in March 2010 by utilizing an existing financial agent agreement with a large national\nbank. The outsourcing of the ISSO role created two (2) IT governance concerns.\n\nFirst, KPMG noted that the appointed ISSO, a bank employee, could not fully perform his assigned\ninformation security duties such as:\n\n   \xef\x82\xb7   Implementing changes to FMS IT security policies;\n   \xef\x82\xb7   Updating the POA&Ms for the outsourced information system; and\n   \xef\x82\xb7   Maintaining and uploading, when appropriate, the system security plan, the Contingency Plan,\n       and Configuration Management Plan to the TAF tool.\n\nThe bank employee could not perform these duties, as the national bank and FMS had not established a\nnetwork communication link or other remote access solution prior to outsourcing the ISSO role.\nAdditionally, FMS had not included the bank employee on all FMS ISSO e-mail distribution lists to\nensure the bank employee received timely notification of revisions and updates to FMS policy and\nprocedures. As a result, the ISSO was uninformed of changes to FMS policies and FMS security\ntemplates such as the system security plan. FMS management reported that action was taken to remediate\nthe control deficiency by including the bank employee on all ISSO e-mail distribution lists and requesting\nremote access to FMS\xe2\x80\x99s network for the bank employee.\n\nSecond, the transfer of the ISSO role from a FMS employee to a bank employee created additional\nconcerns regarding IT governance. Specifically, the new ISSO, a bank employee, reported to the\nOperations Manager for the outsourced information system. The Operations Manager\xe2\x80\x99s primary\nresponsibility is to ensure the availability of the information system and efficiency of operations. Private\nindustry and government best practice suggest that the IT functions of computer operations should be\nseparate from information security within IT departments to appropriately separate duties and balance the\nconflicting objectives of availability and operational efficiency (i.e. Operations) against the desire for\ngreater control and limited access (i.e. Security). The reporting relationship of the ISSO to the Operations\nManager may limit FMS\xe2\x80\x99s ability to receive objective, independent, and complete reporting of security\nmatters and events.\n\nIn 2009, FMS changed its internal policies, permitting the ISSO position to be outsourced. Other factors\ncontributed to the decision such as budgeted staff reductions and a belief that an ISSO role could be more\neffective when located at the bank\xe2\x80\x99s development center. Unfortunately, when the policy decision\nchanged and FMS elected to outsource the ISSO role, FMS did not develop additional guidance for\ninformation system owners to mitigate potential conflicts and separation of duties concerns. Specific to\nthe communication needs of an outsourced ISSO, FMS did not confirm that communication needs were\nsatisfied prior to transferring the ISSO position to a bank employee.\n\n\n\n\n                                                                                                      Page 15\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\nWe recommend that FMS Management:\n\n16. Provide the ISSO with the network connectivity that will allow the bank employee access to FMS\n    internal resources such as Treasury\xe2\x80\x99s FISMA collection and reporting tool, current FMS IT security\n    policy and security templates, and ability to receive FMS email alerts regarding changes to FMS IT\n    security policy and security templates.\n\n17. Create FMS official guidance covering the appointment of the ISSO position at external providers. In\n    such circumstances, FMS should confirm that communication requirements and needs are satisfied\n    prior to outsourcing the ISSO position. Additionally, the guidance should address reporting\n    relationships that might impact the ISSO\xe2\x80\x99s objectivity and clearly identify monitoring activities and\n    assignment of responsibility to an FMS employee to mitigate potential conflicts.\n18. Evaluate solutions to mitigate concerns over ISSO-management reporting relationships, which could\n    include, for example, establishing or modifying internal controls, implementing monitoring tools, re-\n    aligning the ISSO position under the bank\xe2\x80\x99s Information Security team or elsewhere within the bank,\n    contracting for ISSO services through a different provider such as independent verification and\n    validation contractor, or reassigning ISSO responsibilities back to an FMS employee.\n\n\n3. POA&Ms Were Not Updated Timely and Maintained at FMS and OCC\n\nOMB required that all federal agencies implement a POA&M process to identify tasks that are necessary\nto remediate identified security weaknesses. The POA&M should detail resources required to accomplish\nthe elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the\nmilestones. The OCIO has established policies and procedures governing the development and\nmaintenance of POA&Ms for Department information systems and has specified the TAF tool as the\ncentral repository for POA&Ms. In addition, the bureaus also developed policies and procedures to\nimplement Departmental guidance. However, the management of POA&Ms at FMS and OCC were not\nconducted in accordance with the guidance provided. Specifically, KPMG noted the following:\n\n       \xef\x82\xb7   For two (2) of the three (3) FMS systems reviewed, previously identified security weaknesses and\n           associated remediation plans were not added timely (i.e., within 30 days6) to the POA&Ms of\n           record as required by OMB M-10-15, Treasury policy, and FMS policy.\n       \xef\x82\xb7   For one (1) OCC system, previously identified security weaknesses and associated remediation\n           plans were not added timely to the POA&M as required by OMB M-10-15, Treasury policy, and\n           bureau standards. Specifically, OCC did not update, submit, and include all necessary POA&M\n           elements for an information system.\n\nBy not maintaining updated POA&Ms, including all identified security weakness and associated\ninformation in TAF, the OCIO\xe2\x80\x99s ability to monitor aggregated risks to its systems as well as prioritize\nlimited IT resources to address known security weaknesses may be hindered. Additionally, without a\ncentralized list of all known security weaknesses, OCIO may not be able to identify reoccurring security\nissues across multiple systems that could be remediated by a department-wide strategic corrective action\nplan. Further, by not consistently recording identified security weaknesses in TAF, the summary-level\nsecurity metrics reported to OMB will under-report the true number of known security weaknesses\nassociated with the Department\xe2\x80\x99s information systems.\n\n\n6\n    FMS policy requires that POA&M items are entered within 30 days for information systems with a FIPS 199 High impact\n    classification.\n\n\n\n                                                                                                                     Page 16\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\nWe recommend that FMS management:\n19. Direct ISSOs to develop and record POA&M items in TAF within the designated time period when\n    security vulnerabilities are identified.\n20. Provide additional oversight across all FMS systems to ensure that the POA&M process is managed\n    in accordance with FMS, Treasury, and OMB policy and guidance.\n\nWe recommend that OCC management:\n21. Populate the information system\xe2\x80\x99s POA&M to include vulnerabilities found in all applicable IT\n    security reviews and audits, including vulnerabilities identified from annual assessments, audit\n    reports, Treasury ACIOCS reviews, or internal bureau evaluations.\n22. Populate the information system\xe2\x80\x99s POA&M with the information required by Treasury and OCC.\n23. Develop and implement a training program for all individuals tasked with implementing the OCC\n    POA&M process.\n\n\n4. Security Incidents Were Not Reported Timely at BPD and TTB\n\nBPD and TTB did not consistently report security incidents in a timely manner in accordance with NIST\nSpecial Publication 800-53, OMB M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information, and Treasury and bureau policy.\n\n   \xef\x82\xb7   Of thirteen (13) incidents documented by BPD during the reporting period, KPMG determined\n       that four (4) of the incidents were not reported to TCSIRC within the required time period.\n   \xef\x82\xb7   Of fifteen (15) incidents documented by TTB during the reporting period, KPMG determined that\n       two (2) of the incidents were not reported to TCSIRC within the required time period.\n\nBy not reporting incidents or potential incidents to TCSIRC in a timely manner, there is a risk that the\nincident will not be responded to properly. This may result in an increased risk that sensitive information,\nincluding personally identifiable information, could be divulged and a loss of public trust could occur.\n\nWe recommend that BPD management:\n24. Ensure that all potential and actual security incidents are reported to TCSIRC within the required time\n    period.\n\nWe recommend that TTB management:\n25. Ensure that all potential and actual security incidents are reported to TCSIRC within the required time\n    period.\n\n\n\n\n                                                                                                       Page 17\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\n\n5.\t Reviews of Audit Logs Were Not Documented at BEP\n\nBEP did not document reviews of audit logs for the system we reviewed in accordance with NIST Special\nPublication 800-53 and Treasury policy. The lack of monitoring and regular review of audit logs can\nincrease the risk that unauthorized access to the information system may go undetected.\n\nWe recommend that BEP management:\n26. Develop and implement a process to review audit log information on a monthly basis for the\n    information system that includes a requirement to document the reviews performed.\n\n\n6.\t Electronic Media Destruction Process at FinCEN Was Not Fully Compliant with Its\n    Internal Policies\n\nIn order to prevent unauthorized access to Treasury information, electronic media that is no longer in use\nmust be securely stored and appropriately tracked until destroyed. FinCEN did not adequately follow their\ninformation systems security program for media sanitization, which requires media to be physically\nsecured when both stored and transported, and that appropriate audit trail records be maintained. KPMG\nobserved nine (9) cardboard boxes containing over 300 hard drives that were stored in an area outside the\nauthorized custodian\xe2\x80\x99s cubicle within the FinCEN secured facility. Lists containing the serial numbers of\nthe hardware in the boxes, which would allow for tracking, were not included with the hardware. In\naddition, serial numbers of hardware and electronic recording media, that were destroyed, were not\nreconciled against the inventory lists to verify that all equipment and media were appropriately destroyed.\nBy not securing the electronic media in a manner that restricts access to only the authorized custodian,\nand then not reconciling the serial numbers of destroyed electronic media against the known inventory\nlisting, it is impossible to determine if all electronic media, initially identified as requiring destruction,\nwere actually destroyed.\n\nWe recommend that FinCEN management:\n\n27. Secure and restrict access to media scheduled to be destroyed in accordance with their media\n    sanitization policies.\n28. Maintain a list identifying the device, serial number, and physical location of media that is scheduled\n    to be destroyed.\n29. Reconcile the destroyed hardware and electronic recording media with the list of items to be\n    destroyed.\n\n\n\n\n                                                                                                       Page 18\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\n\n7. Password Settings Were Not Properly Configured to Lockout for a BPD System\n\nAdministrative accounts on a BPD information system were not locked after a defined number of invalid\nlogin attempts in accordance with NIST Special Publication 800-53 and system documentation. The\nsystem KPMG tested contained a technical error that did not enforce account lockouts after the defined\nnumber of invalid login attempts. After this control deficiency was identified, BPD management updated\nthe system configuration settings to ensure that accounts and passwords were locked appropriately. By\nnot enforcing effective lockout controls over administrative accounts to the information system, the\npotential for a malicious party to compromise user account passwords increased.\n\nSince BPD management updated the system configurations to remediate this finding, no\nrecommendations were necessary.\n\n\n\n\n                                                                                                Page 19\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\nMANAGEMENT RESPONSE TO DRAFT REPORT\n\nThe following is the OCIO\xe2\x80\x99s response, dated October 29, 2010, to the draft FY 2010 FISMA Performance\nAudit Report.\n\n\n\n\n                                                                                              Page 20\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\n\n\n                                       October 29, 2010\n\n\n   MEMORANDUM FOR MARLA A. FREEDMAN \n\n                  ASSISTANT INSPECTOR GENERAL FOR AUDIT\n\n   FROM:                     Diane C. Litman /s/\n                             Acting Deputy Assistant Secretary for Information Systems\n                             and Chief Information Officer\n\n   SUBJECT:                  Management Response to Draft Audit Report - FY 2010 Audit\n                             of Treasury\xe2\x80\x99s FISMA Implementation for Its Unclassified\n                             Systems\n\n   Thank you for the opportunity to comment on the draft audit report entitled, \xe2\x80\x9cFY 2010\n   Audit of Treasury\xe2\x80\x99s Federal Information Security Management Act (FISMA)\n   Implementation for Its Unclassified Systems.\xe2\x80\x9d The audit focuses on the adequacy of the\n   Department\xe2\x80\x99s information security program and practices for its unclassified systems. We\n   appreciate your acknowledgement that our security program is in place and is generally\n   consistent with FISMA. We have carefully reviewed the draft and are in agreement with\n   all findings and recommendations. Please refer to the attachment for further details on our\n   planned corrective actions.\n\n   The Department is committed to continual improvement of its security program and\n   meeting requirements of FISMA. We have made notable progress over the past year. For\n   example, we closed all but one recommendation from last year\xe2\x80\x99s FISMA audit.\n   Additionally, we have focused on the new White House security priorities, including\n   automated reporting, as well as creative use of social media and cloud technologies. Our\n   cloud-hosted security dashboard has improved the efficiency and reduced data collection\n   costs while enabling the Department to monitor security performance at anytime from\n   anywhere. Refining and collecting our measures in a collaborative, modern environment\n   enabled steady security improvement and our ability to make risk-based decisions based\n   upon real-time, accurate information.\n\n   We appreciate audit recommendations as they will help improve our security posture. If\n   you have any questions, feel free to call Edward Roback, Associate Chief Information\n   Officer for Cyber Security at 202-622-2593.\n\n   Attachment\n\n   cc: \t   Edward Roback, Associate CIO for Cyber Security and Chief Information\n           Security Officer\n           Joel A. Grover, Deputy Assistant Inspector General for Financial Management\n           and Information Technology Audit\n\n\n\n                                                                                       Page 21\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\n                             Management Response to OIG Recommendations\n\n   Note: The Department agrees with all findings and recommendations.\n\n   (U) OIG Finding 1: Logical and Physical Account Management Activities Were Not\n   Consistently Performed\n\n   (U) OIG Recommendation 1: For Office of the Chief Information Officer (OCIO), we\n   recommend that management: Provide sufficient oversight7 by the Treasury OCIO Cyber\n   Security Program over the National Institute of Standards and Technology (NIST)\n   Special Publication 800-53 security controls around Account Management, Physical\n   Access Authorization, and Physical Access Control to ensure that the bureaus implement\n   these controls. This can be accomplished by reviewing the implementation of these\n   controls during the next OCIO review at each bureau.\n\n               (U) Treasury Response: Treasury agrees with this recommendation. Treasury\n               OCIO will enhance its Cyber Security Program by placing additional emphasis on\n               the oversight of NIST Special Publication 800-53 security controls families\n               pertaining to access and physical controls. Target completion date is June 30,\n               2011.\n\n               (U) Responsible Official: Edward Roback, Associate Chief Information Officer\n               for Cyber Security (ACIO CS) and Chief Information Security Officer (CISO),\n               Treasury\n\n   (U) OIG Recommendation 2: For OCIO, we recommend that management: Ensure\n   administrators for the reviewed (Departmental Offices) DO system review user accounts\n   and disable inactive accounts in accordance with (Treasury Directive Publication) TD P\n   85-01 (as a minimum) and any applicable bureau policy.\n\n               (U) Treasury Response: Treasury agrees with this recommendation.\n               Treasury OCIO will develop processes and procedures to ensure that\n               administrators of the reviewed DO system review user accounts and disable\n               inactive accounts in accordance with both Treasury and applicable bureau\n               policies. Target completion date is June 30, 2011.\n\n               (U) Responsible Official: Edward Roback, ACIO CS and CISO, Treasury\n\n   (U) OIG Recommendation 3: For OCIO, we recommend that management: Review\n   administrator accounts for inactivity on a quarterly basis and disable accounts per the TD\n   P 85-01 for the reviewed DO system.\n\n               (U) Treasury Response: Treasury agrees with this recommendation.\n               Treasury OCIO will ensure that administrator accounts are reviewed for inactivity\n   7\n       The OCIO does not provide oversight over the OIG or TIGTA to preserve the independence of the offices.\n\n\n\n                                                                                                                Page 22\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n           on a quarterly basis and disable accounts per the TD P 85-01 for the reviewed DO\n           system. Target completion date is December 30, 2010.\n\n           (U) Responsible Official: Edward Roback, ACIO CS and CISO, Treasury\n\n   (U) OIG Recommendation 4: For OCIO, we recommend that management: Train the\n   reviewed DO system\xe2\x80\x99s administrators on how to review the accounts of the users\n   assigned to their respective bureaus on a quarterly basis and disable the accounts that\n   exceed ninety (90) days of inactivity.\n\n           (U) Treasury Response: Treasury agrees with this recommendation.\n           Treasury OCIO will ensure that administrators of the reviewed DO system are\n           trained on bureau level user account management to ensure compliance with\n           Treasury\xe2\x80\x99s account inactivity policy. Target completion date is June 30, 2011.\n\n           (U) Responsible Official: Edward Roback, ACIO CS and CISO, Treasury\n\n   (U) OIG Recommendation 5: For (Bureau of Engraving and Printing) BEP, we\n   recommend that management: Perform and document user access reviews for their\n   system in accordance with their system security plan.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. BEP\n           will establish a repository to archive user access reviews within 30 days. Target\n           completion date is November 30, 2010.\n\n           (U) Responsible Official: Harinder Singh, CISO, BEP\n\n   (U) OIG Recommendation 6: For (Financial Crime Enforcement Network) FinCEN, we\n   recommend that management: Perform review and validation of physical access to\n   restricted areas, annually.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           FinCEN will ensure that access to restricted physical access areas are reviewed\n           and validated annually; all employees' physical access requirements are\n           documented and approved to the restricted areas; document and approve the zone\n           configurations of the restricted areas; and develop a documented procedure for\n           approval, administration, and revalidation of access to restricted areas. Target\n           completion date is January 31, 2011.\n\n           (U) Responsible Official: Gregory Sohn, CISO, FinCEN\n\n   (U) OIG Recommendation 7: For FinCEN, we recommend that management:\n   Document and approve all employees\xe2\x80\x99 physical access requirements.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           FinCEN will ensure that access to restricted physical access areas are reviewed\n\n\n\n                                                                                        Page 23\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n           and validated annually; all employees\xe2\x80\x99 physical access requirements are\n           documented and approved to the restricted areas; document and approve the\n           zone configurations of the restricted areas; and develop a documented\n           procedure for approval, administration, and revalidation of access to restricted\n           areas. Target completion date is January 31, 2011.\n\n           (U) Responsible Official: Gregory Sohn, CISO, FinCEN\n\n   (U) OIG Recommendation 8: For FinCEN, we recommend that management:\n   Document and approve the door \xe2\x80\x9czone\xe2\x80\x9d configuration of the physical access control\n   system.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           FinCEN will ensure that access to restricted physical access areas are\n           reviewed and validated annually; all employees' physical access requirements\n           are documented and approved to the restricted areas; document and\n           approve the zone configurations of the restricted areas; and develop a\n           documented procedure for approval, administration, and revalidation of access\n           to restricted areas. Target completion date is January 31, 2011.\n\n           (U) Responsible Official: Gregory Sohn, CISO, FinCEN\n\n   (U) OIG Recommendation 9: For FinCEN, we recommend that management: Develop a\n   documented procedure for the approval, administration, and review and validation of\n   access to restricted areas.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           FinCEN will ensure that access to restricted physical access areas are reviewed\n           and validated annually; all employees' physical access requirements are\n           documented and approved to the restricted areas; document and approve the\n           zone configurations of the restricted areas; and develop a documented\n           procedure for approval, administration, and revalidation of access to restricted\n           areas. Target completion date is January 31, 2011.\n\n           (U) Responsible Official: Gregory Sohn, CISO, FinCEN\n\n   (U) OIG Recommendation 10: For (Office of the Comptroller of the Currency) OCC,\n   we recommend that management: Develop and implement an automated means to disable\n   inactive user accounts from the reviewed system after sixty (60) days for Federal\n   employees and thirty (30) days for contractors.\n\n           (U) Treasury Response: Treasury agrees with this recommendation.\n           Recognizing room for improvement in the account management controls currently\n           in place, the OCC has enlisted contractor support in evaluating the current\n           account management program. This effort includes developing requirements and\n           working with stakeholders to determine the viability of implementing an\n\n\n\n                                                                                         Page 24\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n           automated tool that integrates with Microsoft Active Directory. This remediation\n           is ongoing, with a planned remediation date of June 30, 2011.\n\n           (U) Responsible Official: Roger Mahach, CISO and Chief Privacy Officer\n           (CPO), OCC\n\n   (U) OIG Recommendation 11: For OIG, we recommend that management: Ensure\n   domain user accounts are reviewed for inactivity on an annual basis and domain\n   administrator accounts are reviewed for inactivity on a semiannual basis, and any\n   accounts that exceed ninety (90) days of inactivity are disabled.\n\n           (U) OIG Response: Treasury agrees with this recommendation. OIG\n           Planned Corrective Action: Disable unused accounts after 90 days. Target\n           completion date is September 23, 2010.\n\n\n           (U) Responsible Official: Dee Thompson, Director of Information Technology,\n           OIG\n\n   (U) OIG Recommendation 12: For OIG, we recommend that management: Develop\n   policies and procedures and document them in the system security plan for the annual\n   review of OIG LAN room access.\n\n           (U) OIG Response: Treasury agrees with this recommendation. OIG Planned\n           Corrective Action: Review LAN room\xe2\x80\x99s access list annually and remove users\n           who no longer need access. Target completion date is December 31, 2010.\n\n           (U) Responsible Official: Dee Thompson, Director of Information Technologies,\n           OIG\n\n   (U) OIG Recommendation 13: For OIG, we recommend that management: Conduct a\n   review of users\xe2\x80\x99 access to the OIG LAN room annually and remove access privileges for\n   those individuals that do not need access.\n\n           (U) OIG Response: Treasury agrees with this recommendation. OIG Planned\n           Corrective Action: Update Operational, Technical, and Management Controls in\n           the OIG system security plan. Target completion date is December 31, 2010\n\n           (U) Responsible Official: Dee Thompson, Director of Information Technologies,\n           OIG\n\n   (U) OIG Recommendation 14: For (Office of Thrift Supervision) OTS, we recommend\n   that management: Develop and implement a training program that outlines how the six-\n   month user privileges review should be performed.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. OTS\n           will ensure that a training program is developed and implemented that outlines\n\n\n                                                                                      Page 25\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n           how six-month user privileges reviews should be performed. OTS has already\n           conducted a briefing for responsible officials detailing the additional measures\n           that must be taken during the account review and the frequency of which these\n           reviews must occur. Target completion date is June 30, 2011.\n\n           (U) Responsible Official: Andrew Krug, CISO, OTS\n\n    (U) OIG Recommendation 15: For OTS, we recommend that management: Develop\n   and implement a mechanism to track completion of the six-month user privileges review.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. OTS will\n           ensure that mechanisms are developed and implemented which track the\n           completion of the six-month user privileges review process. OTS is in the process\n           of amending its Enterprise Continuous Monitoring process to include account\n           reviews/audits of application user bases consistent with internal policies. Target\n           completion date is January 30, 2011.\n\n           (U) Responsible Official: Andrew Krug, CISO, OTS\n\n\n   (U) OIG Finding 2: Outsourcing the ISSO Role Created an IT Governance Concern\n   at FMS\n\n   (U) OIG Recommendation 16: For (Financial Management Service) FMS, we\n   recommend that management: Provide the (Information System Security Officer) ISSO\n   with the network connectivity that will allow the bank employee access to FMS internal\n   resources such as Treasury\xe2\x80\x99s FISMA collection and reporting tool, current FMS\n   (Information Technology) IT security policy and security templates, and ability to receive\n   FMS email alerts regarding changes to FMS IT security policy and security templates.\n\n           (U) Treasury Response: Treasury agrees with this recommendation.\n           1) FMS will provide the network connectivity that will allow access to FMS\n           internal resources such as Trusted Agent FISMA (TAF), IT security policy\n           updates, and updates to IT security templates by June 30, 2011; 2) FMS will\n           review the ISSO duties to determine any gaps in capabilities by February 11,\n           2011; and 3) FMS will take appropriate actions against identified gaps by June\n           30, 2011. Target completion date is June 30, 2011.\n\n           (U) Responsible Official: David Ambrose, CISO, Director, Security & Audit\n           Directorate, FMS\n\n   (U) OIG Recommendation 17: For FMS, we recommend that management: Create FMS\n   official guidance covering the appointment of the ISSO position at external providers. In\n   such circumstances, FMS should confirm that communication requirements and needs are\n   satisfied prior to outsourcing the ISSO position. Additionally, the guidance should\n   address reporting relationships that might impact the ISSO\xe2\x80\x99s objectivity and clearly\n\n\n\n                                                                                        Page 26\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n   identify monitoring activities and assignment of responsibility to an FMS employee to\n   mitigate potential conflicts.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. FMS\n           Mission Assurance will develop and issue guidance concerning the appointment\n           of the ISSO position at external providers. Target completion date is June 30,\n           2011.\n\n           (U) Responsible Official: David Ambrose, CISO, Director, Security & Audit\n           Directorate, FMS\n\n   (U) OIG Recommendation 18: For FMS, we recommend that management: Evaluate\n   solutions to mitigate concerns over ISSO-management reporting relationships, which\n   could include, for example, establishing or modifying internal controls, implementing\n   monitoring tools, re-aligning the ISSO position under the bank\xe2\x80\x99s Information Security\n   team or elsewhere within the bank, contracting for ISSO services through a different\n   provider such as an Independent Verification and Validation contractors, or reassigning\n   ISSO responsibilities back to an FMS employee.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           Authorizing Official and System Owner will review the ISSO reporting\n           relationship and determine what if any changes need to be made. Target\n           completion date is June 30, 2011.\n\n           (U) Responsible Official: David Ambrose, CISO, Director, Security & Audit\n           Directorate, FMS\n\n   (U) OIG Finding 3: POA&Ms Were Not Updated Timely and Maintained at FMS\n   and OCC\n\n   (U) OIG Recommendation 19: For FMS, we recommend that management: Direct\n   ISSOs to develop and record POA&M items in TAF within the designated time period\n   when security vulnerabilities are identified.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           FMS CISO will issue a memo to all ISSO\xe2\x80\x99s directing them to develop and record\n           POA&M items in TAF within the designated time-period according to FMS\n           policy when security vulnerabilities are identified. Target completion date is\n           June 30, 2011.\n\n           (U) Responsible Official: David Ambrose, CISO, Director, Security & Audit\n           Directorate, FMS\n\n   (U) OIG Recommendation 20: For FMS, we recommend that management: Provide\n   additional oversight across all FMS systems to ensure that the POA&M process is\n   managed in accordance with FMS, Treasury, and OMB policy and guidance.\n\n\n                                                                                      Page 27\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\n           (U) Treasury Response: Treasury agrees with this recommendation. FMS\n           Mission Assurance will implement a tracking mechanism for all security\n           reviews and inform ISSOs of the date those reviews must be in TAF. Target\n           completion date is June 30, 2011.\n\n           (U) Responsible Official: David Ambrose, CISO, Director, Security & Audit\n           Directorate, FMS\n\n   (U) OIG Recommendation 21: For OCC, we recommend that management: Populate\n   the information system\xe2\x80\x99s POA&M to include vulnerabilities found in all applicable IT\n   security reviews and audits, including vulnerabilities identified from annual assessments,\n   audit reports, Treasury ACIOCS reviews, or internal bureau evaluations.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. To\n           address a gap in the management of remediation activities, and the allocation of\n           resources associated with the remediation of vulnerabilities across systems, the\n           OCC Information Risk Management (IRM) office has begun to implement a\n           program to issue a Notice of Potential Finding and Recommendation (NPFR).\n           Utilizing the NPFR as a vehicle by which IRM is able to elevate findings to senior\n           management and communicate ownership to stakeholders, IRM aims to receive\n           increased commitment to the Plan of Action and Milestones process from\n           vulnerability owners. This remediation is ongoing, with a planned completion\n           date of June 30, 2011.\n\n           (U) Responsible Official: Roger Mahach, CISO and CPO, OCC\n\n   (U) OIG Recommendation 22: For OCC, we recommend that management: Populate\n   the information system\xe2\x80\x99s POA&M with the information required by Treasury and OCC.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. To\n           address a gap in the management of remediation activities, and the allocation of\n           resources associated with the remediation of vulnerabilities across systems, the\n           OCC Information Risk Management (IRM) office has begun to implement a\n           program to issue a Notice of Potential Finding and Recommendation (NPFR).\n           Utilizing the NPFR as a vehicle by which IRM is able to elevate findings to senior\n           management and communicate ownership to stakeholders, IRM aims to receive\n           increased commitment to the Plan of Action and Milestones process from\n           vulnerability owners. This remediation is ongoing, with a planned completion\n           date of June 30, 2011.\n\n           (U) Responsible Official: Roger Mahach, CISO and CPO, OCC\n\n   (U) OIG Recommendation 23: For OCC, we recommend that management: Develop\n   and implement a training program for all individuals tasked with implementing the OCC\n   POA&M process.\n\n\n\n                                                                                       Page 28\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\n           (U) Treasury Response: Treasury agrees with this recommendation. To\n           address a gap in the management of remediation activities, and the allocation of\n           resources associated with the remediation of vulnerabilities across systems, the\n           OCC Information Risk Management (IRM) office has begun to implement a\n           program to issue a Notice of Potential Finding and Recommendation (NPFR).\n           Utilizing the NPFR as a vehicle by which IRM is able to elevate findings to senior\n           management and communicate ownership to stakeholders, IRM aims to receive\n           increased commitment to the Plan of Action and Milestones process from\n           vulnerability owners. This remediation is ongoing, with a planned completion\n           date of June 30, 2011.\n\n           (U) Responsible Official: Roger Mahach, CISO and CPO, OCC\n\n\n   (U) OIG Finding 4: Security Incidents Were Not Reported Timely at BPD and TTB\n\n   (U) OIG Recommendation 24: For (Bureau of the Public Debt) BPD, we recommend\n   that management: Ensure that all potential and actual security incidents are reported to\n   (Treasury Computer Security Incident Response Center) TCSIRC within the required\n   time period.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           BPD will review and revise incident response procedures to ensure that\n           incidents are reported to TCSIRC in accordance with Treasury defined time\n           requirements. Target completion date is February 2, 2011.\n\n           (U) Responsible Official: Jim McLaughlin, CISO and Privacy Act Officer\n           (PAO), BPD\n\n   (U) OIG Recommendation 25: For (The Alcohol and Tobacco Tax and Trade Bureau)\n   TTB, we recommend that management: Ensure that all potential and actual security\n   incidents are reported to TCSIRC within the required time period.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           current TTB incident response procedures ensure that incidents are reported to\n           TCSIRC in accordance with Treasury defined time requirements. Additionally, all\n           Incident Response personnel are trained in the new procedure to ensure that all\n           security incidents are reported to TCSIRC within the required time period. The\n           completion date was June 30, 2010. Status: Closed\n\n           (U) Responsible Official: Jackie Washington, ACIO - IT Security, TTB\n\n\n\n\n                                                                                        Page 29\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n   (U) OIG Finding 5: Reviews of Audit Logs Were Not Documented at BEP\n\n   (U) OIG Recommendation 26: For BEP, we recommend that management: Develop and\n   implement a process to review audit log information on a monthly basis for the\n   information system that includes a requirement to document the reviews performed.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. BEP\n           will establish a repository to archive audit log reviews within 30 days. Target\n           completion date is November 30, 2010.\n\n           (U) Responsible Official: Harinder Singh, CISO, BEP\n\n\n   (U) OIG Finding 6: Electronic Media Destruction Process at FinCEN Was Not Fully\n   Compliant with Its Internal Policies\n\n   (U) OIG Recommendation 27: For FinCEN, we recommend that management: Secure\n   and restrict access to media scheduled to be destroyed in accordance with their media\n   sanitization policies.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           FinCEN CIO will ensure that media scheduled to be destroyed is properly\n           secured and access restricted; a media destruction list is maintained that identifies\n           the device, serial number, and physical location of the media to be destroyed; and\n           will reconcile the destroyed hardware and media against the list of items to be\n           destroyed. Target completion date is January 31, 2011.\n\n\n           (U) Responsible Official: Gregory Sohn, CISO, FinCEN\n\n   (U) OIG Recommendation 28: For FinCEN, we recommend that management:\n   Maintain a list identifying the device, serial number, and physical location of media that\n   is scheduled to be destroyed.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           FinCEN CIO will ensure that media scheduled to be destroyed is properly secured\n           and access restricted; a media destruction list is maintained that identifies the\n           device, serial number, and physical location of the media to be destroyed; and will\n           reconcile the destroyed hardware and media against the list of items to be\n           destroyed. Target completion date is January 31, 2011.\n\n\n           (U) Responsible Official: Gregory Sohn, CISO, FinCEN\n\n\n\n\n                                                                                          Page 30\n\x0cThe Department of the Treasury FISMA Performance Audit \xe2\x80\x93 2010\n\n    (U) OIG Recommendation 29: For FinCEN, we recommend that management:\n   Reconcile the destroyed hardware and electronic recording media with the list of items to\n   be destroyed.\n\n           (U) Treasury Response: Treasury agrees with this recommendation. The\n           FinCEN CIO will ensure that media scheduled to be destroyed is properly secured\n           and access restricted; a media destruction list is maintained that identifies the\n           device, serial number, and physical location of the media to be destroyed; and will\n           reconcile the destroyed hardware and media against the list of items to be\n           destroyed. Target completion date is January 31, 2011.\n\n\n           (U) Responsible Official: Gregory Sohn, CISO, FinCEN\n\n   (U) OIG Finding 7: Password Settings Were Not Properly Configured to Lockout\n   for a BPD System\n\n   (U) OIG Recommendation: For BPD: Since BPD management updated the system\n   configurations to remediate this finding, no recommendations were necessary.\n\n           (U) Treasury Response: This finding has been remediated by BPD\n           management. Status: Closed\n\n           (U) Responsible Official: Jim McLaughlin, CISO and PAO, BPD\n\n\n\n\n                                                                                        Page 31\n\x0cStatus of Prior Year Findings                                                                                                                          Appendix I\n\nAPPENDIX I \xe2\x80\x93 STATUS OF PRIOR YEAR FINDINGS\n\n\n                                                                                  Recommendation(s)/\nFinding #                  Prior Year Condition                                                                                         Status\n                                                                                  Prior Year Management Response\nFinding #1 \xe2\x80\x93 Financial     During Fiscal Year (FY) 2009, FMS issued a full        We recommend that FMS management:                     Implemented/Closed\nManagement Service         Authority to Operate (ATO) for two (2) systems\n(FMS)                      reviewed. However, a full risk assessment was not    1. Complete the full certification and                  Both systems were\n                           performed, and the security test and evaluation only    accreditation of the first FMS system                certified and accredited in\nNIST Federal               included an assessment of the technical security        identified above by the estimated completion         accordance with the NIST\nInformation Processing     control families of the National Institute of           date tracked in the Plan of Actions &                Special Publication 800-\nStandard (FIPS) 200        Standards and Technology (NIST) Special                 Milestones (POA&M).                                  37.\nMinimum Security           Publication 800-53, Recommended Security Controls 2. Finalize the security assessment reporting\nControl Baselines Were     for Federal Information Systems.                        process and reissue the full ATO for the\nNot Sufficiently Tested                                                            second FMS system identified above.\nor Implemented.\nFinding #1 \xe2\x80\x93 Office of     As of June 30, 2009, the two (2) systems were not      We recommend that OTS management continue             Implemented/Closed\nThrift Supervision         fully accredited systems.                              with plans to resolve the security weakness\n(OTS)                                                                             identified during the certification and               Both systems were\n                                                                                  accreditation process for all OTS systems by the      certified and accredited in\nNIST FIPS 200                                                                     end of the interim authorization period,              accordance with the NIST\nMinimum Security                                                                  September 25, 2009 and continue with plans to         Special Publication 800-\nControl Baselines Were                                                            grant a full authority to operate during the FY       37.\nNot Sufficiently Tested                                                           2010 Federal Information Security Management\nor Implemented                                                                    Act (FISMA) reporting period.\n(Repeated)\nFinding #2              At the conclusion of the FY 2008 FISMA audit, two         We recommend that OPTR management finalize            Implemented/Closed\n                        (2) Treasury Directives and Publications related to       all of the directives and policies related to the\nPolicies Required by    the collection, use, sharing, disclosure, transfer, and   collection, use, sharing, disclosure, transfer, and   OPTR provided the signed\nOffice of Management    storage of personally identifiable information (PII)      storage of PII identified above. (Repeat              TD 25-08, dated\nand Budget (OMB)        were not finalized. During the 2009 FISMA                 Recommendation)                                       December 22, 2009.\nMemorandum 07-16 have reporting cycle, the Office of Privacy and Treasury\nnot been Finalized and  Records (OPTR) finalized Treasury Directive\nIssued (Repeat Finding) Publication (TD P) 25-07, Privacy Impact\n                        Assessment Manual; however, at the conclusion of\n                        the FY 2009 FISMA Evaluation, Treasury Directive\n                        (TD) 25-08, Safeguarding Against and Responding\n                        to the Breach of Personally Identifiable Information,\n                        was still in draft.\n\n\n\n\n                                                                                                                                                            Page 32\n\x0cStatus of Prior Year Findings                                                                                                                     Appendix I\n\n                                                                              Recommendation(s)/\nFinding #                 Prior Year Condition                                                                                     Status\n                                                                              Prior Year Management Response\nFinding #3               At the conclusion of the FY 2008 FISMA audit, the    We recommend that DO information technology          Implemented/Closed\n                         DO had not implemented the FDCC secure               (IT) management fully implement the FDCC\nThe Departmental Offices configuration baseline on all headquarters           secure baseline configurations on all headquarters   All FDCC security\n(DO) Federal Desktop     workstations. As of the conclusion of the FY 2009    end-user workstations by the November 15, 2009       configurations were\nCore Configuration       FISMA evaluation, we again noted that DO still had   due date outlined in the POA&M weakness.             applied to all headquarters\n(FDCC) Image is Not      not implemented the FDCC secure configuration                                                             end-user workstations.\nFully Implemented        baseline on all workstations.\n(Repeat Findings)\nFinding #4               At the close of the 2009 FISMA reporting cycle,      We recommend that BPD management:                    Implemented/Closed\n                         BPD was not using a SCAP validated tool to scan\nThe Bureau of Public     the BPD FDCC secure configuration baseline.          1. Continue with efforts to implement a SCAP-        FDCC baseline settings\nDebt (BPD) is Not Using                                                          validated tool.                                   indicated a SCAP-\na Security Content                                                            2. Utilize a SCAP-validated tool to monitor the      validated tool was in use.\nAutomation Protocol                                                              BPD FDCC secure configuration baseline\n(SCAP)                                                                           image.\n\n\nFinding #5                FMS was not consistently managing POA&M\xe2\x80\x99s           We recommend that FMS management:                    Partially\n                          Estimate to Complete dates and Milestones for two                                                        Implemented/Open\nFMS POA&M Estimate        (2) of the five (5) systems selected in our         1. Update the estimate to complete dates and\nto Completion Dates       representative subset of FMS major applications and    milestones for each of the identified             Both systems\xe2\x80\x99 POA&Ms\nWere Not Consistently     general support systems.                               weaknesses to reflect current status.             were completed or updated\nUpdated in Accordance                                                         2. Provide additional oversight across all FMS       to accurately reflect\nwith FMS Policy.                                                                 systems to ensure that the POA&M process          \xe2\x80\x9cEstimate to Completion\xe2\x80\x9d\n                                                                                 is managed in accordance with FMS,                and \xe2\x80\x9cMilestone\xe2\x80\x9d dates.\n                                                                                 Treasury, and OMB policy and guidance.\n                                                                                                                                   However, we identified\n                                                                                                                                   additional POA&M\n                                                                                                                                   weakness at FMS. See FY\n                                                                                                                                   2010 Finding #3.\n\n\n\n\n                                                                                                                                                       Page 33\n\x0cStatus of Prior Year Findings                                                                                                                    Appendix I\n\n                                                                               Recommendation(s)/\nFinding #                  Prior Year Condition                                                                                  Status\n                                                                               Prior Year Management Response\nFinding #6               The frequency of vulnerability scanning over one (1) We recommend that BPD Office of the                Implemented/Closed\n                         of BPD\xe2\x80\x99s systems was not in line with Treasury-       Information Technology (OIT) management:\nFrequency of             wide policy and the control requirements outlined in                                                    BPD closed one of the\nVulnerability Assessment the system\xe2\x80\x99s security plan. Currently, the system was 1. Continue follow-up efforts to resolve or       vulnerabilities identified in\nScanning at BPD Was      being scanned annually, while the minimum required        dispose of all potential vulnerabilities      FY 2009 and the other\nNot in Line with Bureau frequency of vulnerability scanning specified by           identified during the recent vulnerability\n                                                                                                                                 vulnerability has a\nand Treasury Policy      Treasury policy and the control requirements              assessment.\n                         outlined in the system\xe2\x80\x99s security plan is at least    2. Review and update internal BPD bureau-         corrective action plan in\n                         quarterly.                                                wide IT policies as appropriate.              place. In addition, BPD\n                                                                               3. Conduct vulnerability scans on at least a      developed a bureau-wide\n                                                                                   quarterly basis as required by TD P 85-01     IT policy, which addresses\n                                                                                                                                 vulnerability scanning.\n                                                                                                                                 Lastly, vulnerability scans\n                                                                                                                                 were performed on a\n                                                                                                                                 monthly basis starting\n                                                                                                                                 March 2010.\n\nFinding #7                 FinCEN had not performed an E-Authentication         We recommend that FinCEN management               Implemented/Closed\n                           Risk Assessment for the one (1) reviewed system      perform an E-Authentication Risk Assessment\nE-Authentication Risk      selected.                                            for the one (1) system selected at FinCEN for the The E-Authentication Risk\nAssessment Was Not                                                              FY 2009 FISMA Evaluation.                         Assessment was conducted\nPerformed at the                                                                                                                  for the system.\nFinancial Crimes\nEnforcement Network\n(FinCEN)\n\n\n\n\n                                                                                                                                                      Page 34\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                      Appendix II\n\n\n\n\n                                                                                                                           \t\nAPPENDIX II \xe2\x80\x93 THE DEPARTMENT OF THE TREASURY\xe2\x80\x99S CONSOLIDATED RESPONSE TO OMB\xe2\x80\x99S FISMA 2010\nQUESTIONS FOR INSPECTORS GENERAL\n\nThe information included in Appendix II represents the Department of the Treasury\xe2\x80\x99s consolidated responses to OMB\xe2\x80\x99s FISMA 2010 questions for\nInspectors Generals. KPMG prepared responses to OMB questions based on an assessment of 15 information systems across 13 Treasury\ncomponents, excluding the IRS and TIGTA. A decision was made to inspect only one (1) OIG system every year. TIGTA performed audit\nprocedures over the IRS and its information systems and provided their answers to the Treasury OIG and KPMG for consolidation. The\ninformation provided by TIGTA has not been subjected to KPMG audit procedures and, accordingly, we express no opinion on it.\n\nS1: Certification and Accreditation\nStatus of Certification and             a.\t The Agency has established and is maintaining a certification and accreditation program that is generally\nAccreditation Program [check one]   \xef\x83\xbc       consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements. Although improvement opportunities may have\n                                            been identified by the OIG, the program includes the following attributes:\n                                            1. Documented policies and procedures describing the roles and responsibilities of participants in the\n                                                certification and accreditation process.\n                                            2. Establishment of accreditation boundaries for agency information systems.\n                                            3. Categorizes information systems.\n                                            4. Applies applicable minimum baseline security controls.\n                                            5. Assesses risks and tailors security control baseline for each system.\n                                            6. Assessment of the management, operational, and technical security controls in the information system.\n                                            7. Risks to Agency operations, assets, or individuals analyzed and documented in the system security plan,\n                                              \t\n\n\n\n\n                                                risk assessment, or an equivalent document.\n                                            8. The accreditation official is provided (i) the security assessment report from the certification agent\n                                              \t\n\n\n\n\n                                                providing the results of the independent assessment of the security controls and recommendations for\n                                                corrective actions; (ii) the plan of action and milestones from the information system owner indicating\n                                                actions taken or planned to correct deficiencies in the controls and to reduce or eliminate vulnerabilities in\n                                                the information system; and (iii) the updated system security plan with the latest copy of the risk\n                                                assessment.\n                                        b.\t The Agency has established and is maintaining a certification and accreditation program. However, the\n                                            Agency needs to make significant improvements as noted below.\n                                        c. The Agency has not established a certification and accreditation program.\n1a. If b. checked above, check          1a(1) Certification and accreditation policy is not fully developed.\n\n\n\n\n                                                                                                             \n\n    areas that need significant         1a(2) Certification and accreditation procedures are not fully developed, sufficiently detailed or consistently\n                              \n\n\n\n\n\n    improvement:                               implemented.\n                                        1a(3) Information systems are not properly categorized (FIPS 199/SP 800-60).\n                                        1a(4) Accreditation boundaries for agency information systems are not adequately defined.\n\n\n\n\n                                                                                                                                                       Page 35\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                Appendix II\n\n\n\n\n                                                                                                                      \t\n                                       1a(5) Minimum baseline security controls are not adequately applied to information systems (FIPS 200/SP 800-\n                                              53).\n                                       1a(6) Risk assessments are not adequately conducted (SP 800-30).\n                                       1a(7) Security control baselines are not adequately tailored to individual information systems (SP 800-30).\n                                       1a(8) Security plans do not adequately identify security requirements (SP 800-18).\n                                       1a(9) Inadequate process to assess security control effectiveness (SP 800-53A).\n                                       1a(10) Inadequate process to determine risk to agency operations, agency assets, or individuals, or to authorize\n                                              information systems to operate (SP 800-37).\n                                       1a(11) Inadequate process to continuously track changes to information systems that may necessitate reassessment\n                                              of control effectiveness (SP 800-37).\n                                       1a(12) Other\n                                              Explanation for Other:\n   Comments:\n\nS2: Configuration Management\nStatus of Security Configuration       a.\t The Agency has established and is maintaining a security configuration management program that is generally\nManagement Program [check one]             consistent with NIST's and OMB's FISMA requirements. Although improvement opportunities may have been\n                                           identified by the OIG, the program includes the following attributes:\n                                           1. Documented policies and procedures for configuration management.\n                                           2. Standard baseline configurations.\n                                           3. Scanning for compliance and vulnerabilities with baseline configurations.\n                                           4. FDCC baseline settings fully implemented and/or any deviations from FDCC baseline settings fully\n                                             \t\n\n\n\n\n                                               documented.\n                                           5. Documented proposed or actual changes to the configuration settings.\n                                           6. Process for the timely and secure installation of software patches.\n                                       b. The Agency has established and is maintaining a security configuration management program. However, the\n                                   \xef\x83\xbc       Agency needs to make significant improvements as noted below.\n                                       c. The Agency has not established a security configuration management program.\n2a. If b. checked above, check         2a(1) Configuration management policy is not fully developed.\n\n\n\n\n                                                                                                     \n\n    areas that need significant    \xef\x83\xbc   2a(2) Configuration management procedures are not fully developed or consistently implemented.\n                              \n\n\n\n\n\n                                                                                                                                       \n\n    improvement:                       2a(3) Software inventory is not complete (NIST 800-53: CM-8).\n                  \n\n\n\n\n\n                                                                                                      \n\n                                       2a(4) Standard baseline configurations are not identified for all software components (NIST 800-53: CM-8).\n\n\n\n\n                                                                                                                                                 \n\n                                       2a(5) Hardware inventory is not complete (NIST 800-53 CM-8).\n\n\n                                                                                                       \n\n                                       2a(6) Standard baseline configurations are not identified for all hardware components (NIST 800-53: CM-2).\n\n\n\n\n                                                                                                                                                  \n\n                                       2a(7) Standard baseline configurations are not fully implemented (NIST 800-53: CM-2).\n\n\n\n\n                                                                                                                              \n\n                                       2a(8) FDCC is not fully implemented (OMB) and/or all deviations are not fully documented.\n\n\n\n\n                                                                                                                                  \n\n                                                                                                                                                Page 36\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                          Appendix II\n\n                                              2a(9) Software scanning capabilities are not fully implemented (NIST 800-53: RA-5, SI-2).\n                                              2a(10) Configuration-related vulnerabilities have not been remediated in a timely manner (NIST 800-53: CM-4,\n                                        \xef\x83\xbc             CM-6, RA-5, SI-2).\n                                        \xef\x83\xbc 2a(11) Patch management process is not fully developed (NIST 800-53: CM-3, SI-2).\n                                              2a(12) Other\n                                                      Explanation for Other:\nComments: TIGTA: The IRS has not completed corrective actions to resolve the software configuration management component of the IRS computer security\nmaterial weakness. Until the IRS has implemented adequate configuration management controls Agencywide, it cannot ensure the security and integrity of\nsystem programs, files, and data. In March 2010, TIGTA reported that the IRS was not timely addressing high- and medium-risk system vulnerabilities that it\nidentified on Automated Collection System servers. In addition, during the 2010 FISMA evaluation period, the TIGTA concluded fieldwork on an audit to\nevaluate IRS email servers and found that the IRS is not taking timely actions to correct medium-risk security vulnerabilities identified through monthly scans on\nits email servers. The IRS computer security material weakness relating to configuration management includes unresolved weaknesses in the IRS patch\nmanagement process. The IRS\xe2\x80\x99s corrective action plan for resolving the patch management weaknesses indicates that corrective actions are still ongoing.\n2b. Identify baselines reviewed:\n2b(1) Software Name                    None\n2b(2) Software Version                 None\n\nS3: Incident Response and Reporting\nStatus of Incident Response &                 a.   The Agency has established and is maintaining an incident response and reporting program that is generally\nReporting Program [check one]           \xef\x83\xbc          consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements. Although improvement opportunities may have\n                                                   been identified by the OIG, the program includes the following attributes:\n                                                   1. Documented policies and procedures for responding and reporting to incidents.\n                                                   2. Comprehensive analysis, validation, and documentation of incidents.\n                                                   3. When applicable, reports to US-CERT within established timeframes.\n                                                   4. When applicable, reports to law enforcement within established timeframes.\n                                                   5. Responds to and resolves incidents in a timely manner to minimize further damage.\n\n                                              b. The Agency has established and is maintaining an incident response and reporting program. However, the\n                                                  Agency needs to make significant improvements as noted below.\n                                              c. The Agency has not established an incident response and reporting program.\n3a. If b. checked above, check                3a(1) Incident response and reporting policy is not fully developed.\n    areas that need significant               3a(2) Incident response and reporting procedures are not fully developed, sufficiently detailed or consistently\n    improvement:                                    implemented.\n                                              3a(3) Incidents were not identified in a timely manner (NIST 800-53, 800-61, and OMB M-07-16, M-06-19).\n                                              3a(4) Incidents were not reported to US-CERT as required (NIST 800-53, 800-61, and OMB M-07-16, M-06-\n                                                    19).\n\n\n\n                                                                                                                                                           Page 37\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                      Appendix II\n\n                                        3a(5) Incidents were not reported to law enforcement as required.\n                                        3a(6) Incidents were not resolved in a timely manner (NIST 800-53, 800-61, and OMB M-07-16, M-06-19).\n                                        3a(7) Incidents were not resolved to minimize further damage (NIST 800-53, 800-61, and OMB M-07-16, M-06-\n                                                 19).\n                                        3a(8) There is insufficient incident monitoring and detection coverage (NIST 800-53, 800-61, and OMB M-07-\n                                                 16, M-06-19).\n                                        3a(9) Other\n                                                 Explanation for Other:\nComments: Treasury OIG: BPD did not report 4 of 13 incidents in the required timeframe. TTB did not report 2 of 14 in the required timeframe.\n\nS4: Security Training\nStatus of Security Training Program       a.   The Agency has established and is maintaining a security training program that is generally consistent with\n[check one]                                    NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements. Although improvement opportunities may have been identified by\n                                               the OIG, the program includes the following attributes:\n                                               1. Documented policies and procedures for security awareness training.\n                                               2. Documented policies and procedures for specialized training for users with significant information\n                                                   security responsibilities.\n                                               3. Appropriate training content based on the organization and roles.\n                                               4. Identification and tracking of all employees with login privileges that need security awareness training.\n                                               5. Identification and tracking of employees without login privileges that require security awareness training.\n                                               6. Identification and tracking of all employees with significant information security responsibilities that\n                                                   require specialized training.\n\n                                          b. The Agency has established and is maintaining a security training program. However, the Agency needs to\n                                      \xef\x83\xbc       make significant improvements as noted below.\n                                          c. The Agency has not established a security training program.\n4a. If b. checked above, check            4a(1) Security awareness training policy is not fully developed.\n    areas that need significant           4a(2) Security awareness training procedures are not fully developed, sufficiently detailed or consistently\n    improvement:                                implemented.\n                                          4a(3) Specialized security training policy is not fully developed.\n                                          4a(4) Specialized security awareness training procedures are not fully developed or sufficiently detailed (SP 800-\n                                                50, SP 800-53).\n                                          4a(5) Training material for security awareness training does not contain appropriate content for the Agency (SP\n                                                800-50, SP 800-53).\n                                          4a(6) Identification and tracking of employees with login privileges that require security awareness training is not\n                                                adequate (SP 800-50, SP 800-53).\n                                          4a(7) Identification and tracking of employees without login privileges that require security awareness training is\n\n\n\n                                                                                                                                                       Page 38\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                    Appendix II\n\n                                             not adequate (SP 800-50, SP 800-53).\n                                      4a(8) Identification and tracking of employees with significant security information security responsibilities is\n                                             not adequate (SP 800-50, SP 800-53).\n                                      4a(9) Training content for individuals with significant information security responsibilities is not adequate (SP\n                                             800-53, SP 800-16).\n                                      4a(10) Less than 90 percent of employees with login privileges attended security awareness training in the past\n                                             year.\n                                      4a(11) Less than 90 percent of employees with significant security responsibilities attended security awareness\n                                             training in the past year.\n                                      4a(12) Other: TIGTA:\n                                             (1) Not all contractors with staff-like access at the IRS were provided with security awareness training.\n                                  \xef\x83\xbc          (2) The IRS needs to improve identification and tracking of employees and contractors with significant\n                                                 security responsibilities.\n                                             Explanation for Other: TIGTA:\n                                             (1) In June 2010, the GAO reported that the IRS did not provide security awareness training for all IRS\n                                                 contractors who are provided unescorted physical access to its facilities containing taxpayer receipts\n                                                 and information. Based on the GAO\xe2\x80\x99s finding, the IRS stated it updated its policy as of September 7,\n                                                 2010, to require all contractors to take security awareness training suitable to their type of access, and\n                                                 modified its contractor tracking system to track the completion of the required training modules for\n                                                 each contractor during the Fiscal Year 2011 FISMA evaluation period.\n                                             (2) The TIGTA was unable to definitively determine the percentage of IRS employees and contractors\n                                                 with significant security responsibilities that completed specialized security training in the past year.\n                                                 Until the IRS completes several actions, the TIGTA cannot verify the population of IRS employees\n                                                 and contractors that require specialized training or the numbers of those that completed their required\n                                                 training.\n  Comments:\n\n\n\n\n                                                                                                                                                     Page 39\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                             Appendix II\n\nS5: POA&M\n\nStatus of Plan of Action &            a.  The Agency has established and is maintaining a POA&M program that is generally consistent with NIST\xe2\x80\x99s\nMilestones (POA&M) Program                and OMB\xe2\x80\x99s FISMA requirements and tracks and monitors known information security weaknesses. Although\n[check one]                               improvement opportunities may have been identified by the OIG, the program includes the following\n                                          attributes:\n                                          1. Documented policies and procedures for managing all known IT security weaknesses.\n                                          2. Tracks, prioritizes, and remediates weaknesses.\n                                          3. Ensures remediation plans are effective for correcting weaknesses.\n                                          4. Establishes and adheres to reasonable remediation dates.\n                                          5. Ensures adequate resources are provided for correcting weaknesses.\n                                          6. Program officials and contractors report progress on remediation to CIO on a regular basis, at least\n                                               quarterly, and the CIO centrally tracks, maintains, and independently reviews/validates the POAM\n                                               activities at least quarterly.\n                                      b. The Agency has established and is maintaining a POA&M program that tracks and remediates known\n                                  \xef\x83\xbc       information security weaknesses. However, the Agency needs to make significant improvements as noted\n                                          below.\n                                      c. The Agency has not established a POA&M program.\n5a. If b. checked above, check        5a(1) POA&M policy is not fully developed.\n    areas that need significant       5a(2) POA&M procedures are not fully developed, sufficiently detailed or consistently implemented.\n    improvement:\n                                  \xef\x83\xbc   5a(3) POA&Ms do not include all known security weaknesses (OMB M-04-25).\n                                      5a(4) Remediation actions do not sufficiently address weaknesses (NIST SP 800-53, Rev 3, Sect. 3.4 Monitoring\n                                  \xef\x83\xbc           Security Controls).\n                                      5a(5) Initial dates of security weaknesses are not tracked (OMB M-04-25).\n                                      5a(6) Security weaknesses are not appropriately prioritized (OMB M-04-25).\n                                      5a(7) Estimated remediation dates are not reasonable (OMB M-04-25).\n                                      5a(8) Initial target remediation dates are frequently missed (OMB M-04-25).\n                                  \xef\x83\xbc   5a(9) POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3, Control CA-5, & OMB M-04-25).\n                                      5a(10) Costs associated with remediating weaknesses are not identified (NIST SP 800-53, Rev. 3, Control PM-3 &\n                                              (OMB M-04-25).\n                                      5a(11) Agency CIO does not track and review POA&Ms (NIST SP 810-53m, Rev. 3, Control CA-5 & (OMB M-\n                                              04-25).\n                                      5a(12) Other: TIGTA:\n                                  \xef\x83\xbc           IRS security weaknesses were closed in POA&Ms before effective corrective action was taken.\n                                             Explanation for Other: TIGTA:\n                                             In August 2009, the TIGTA reported that the IRS had prematurely reported resolution of six security\n                                             control vulnerabilities for the Customer Accounts Data Engine in POA&Ms before effective corrective\n\n\n\n                                                                                                                                             Page 40\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                       Appendix II\n\n                                                    action was taken. In May 2010, the TIGTA reported that the IRS closed four POA&M weaknesses\n                                                    identified in the Modernized e-File system before effective corrective action was taken. During the 2010\n                                                    FISMA evaluation period, the IRS took steps to improve its POA&M procedures; however, the TIGTA did\n                                                    not find information to indicate that required verifications were performed before closing these weaknesses\n                                                    as per IRS policy.\n   Comments: Treasury OIG: FMS did not record security vulnerabilities timely in Trusted Agent FISMA (TAF) for 2 of the 3 systems. OCC did not update,\n   submit, and include all necessary elements of the reviewed system\xe2\x80\x99s POA&M.\n\n   TIGTA: In May 2010, the TIGTA reported that security weaknesses identified by the IRS at seven of the eight contractor facilities we sampled were not\n   maintained in POA&Ms as required by the FISMA. In addition, during the Fiscal Year 2010 FISMA evaluation period, the TIGTA completed fieldwork on an\n   audit to evaluate IRS email servers and found that medium-risk weaknesses the IRS repeatedly detected on its email servers through monthly scans were not\n   posted to POA&Ms.\n\nS6: Remote Access Management\nStatus of Remote Access Program             a.   The Agency has established and is maintaining a remote access program that is generally consistent with\n[check one]                            \xef\x83\xbc         NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements. Although improvement opportunities may have been identified by\n                                                 the OIG, the program includes the following attributes:\n                                                 1. Documented policies and procedures for authorizing, monitoring, and controlling all methods of remote\n                                                     access.\n                                                 2. Protects against unauthorized connections or subversion of authorized connections.\n                                                 3. Users are uniquely identified and authenticated for all access.\n                                                 4. If applicable, multi-factor authentication is required for remote access.\n                                                 5. Authentication mechanisms meet NIST Special Publication 800-63 guidance on remote electronic\n                                                     authentication, including strength mechanisms.\n                                                 6. Requires encrypting files sensitive files transmitted across public networks or stored on mobile devices\n                                                     and removable media such as CDs and flash drives.\n                                                 7. Remote access sessions are timed-out after a maximum of 30 minutes of inactivity after which re-\n                                                     authentication is required.\n\n                                            b. The Agency has established and is maintaining a remote access program. However, the Agency needs to make\n                                                significant improvements as noted below.\n                                            c. The Agency has not established a program for providing secure remote access.\n6a. If b. checked above, check              6a(1) Remote access policy is not fully developed.\n    areas that need significant             6a(2) Remote access procedures are not fully developed, sufficiently detailed or consistently implemented.\n    improvement:                            6a(3) Telecommuting policy is not fully developed (NIST 800-46 Section 5.1).\n                                            6a(4) Telecommuting procedures are not fully developed or sufficiently detailed (NIST 800-46 Section 5.4).\n\n\n\n                                                                                                                                                        Page 41\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                    Appendix II\n\n                                           6a(5)    Agency cannot identify all users who require remote access (NIST 800-46 Section 4.2, Section 5.1).\n                                           6a(6)    Multi-factor authentication is not properly deployed (NIST 800-46 Section 2.2, Section 3.3).\n                                           6a(7)    Agency has not identified all remote devices (NIST 800-46 Section 2.1).\n                                           6a(8)    Agency has not determined all remote devices and/or end user computers have been properly secured\n                                                    (NIST 800-46 Section 3.1 and Section 4.2).\n                                           6a(9)    Agency does not adequately monitor remote devices when connected to the agency\xe2\x80\x99s networks remotely\n                                                    (NIST 800-46 Section 3.2).\n                                           6a(10)   Lost or stolen devices are not disabled and appropriately reported (NIST 800-46 Section 4.3, US-CERT\n                                                    Incident Reporting Guidelines).\n                                           6a(11)   Remote access rules of behavior are not adequate (NIST 800-53, PL-4).\n                                           6a(12)   Remote access user agreements are not adequate (NIST 800-46 Section 5.1 & NIST 800-53, PS-6).\n                                           6a(13)   Other\n                                                    Explanation for Other:\n\nS7: Identity and Access Management\nStatus of Account and Identity             a.   The Agency has established and is maintaining an account and identity management program that is generally\nManagement Program [check one]                  consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements and identifies users and network devices. Although\n                                                improvement opportunities may have been identified by the OIG, the program includes the following\n                                                attributes:\n                                                1. Documented policies and procedures for account and identity management.\n                                                2. Identifies all users, including federal employees, contractors, and others who access Agency systems.\n                                                3. Identifies when special access requirements (e.g. multi-factor authentication) are necessary.\n                                                4. If multi-factor authentication is in use, it is linked to the Agency\xe2\x80\x99s PIV program.\n                                                5. Ensures that the users are granted access based on needs and separation of duties principles.\n                                                6. Identifies devices that are attached to the network and distinguishes these devices from users.\n                                                7. Ensures that accounts are terminated or deactivated once access is no longer required.\n                                           b. The Agency has established and is maintaining an account and identity management program that identifies\n                                       \xef\x83\xbc       users and network devices. However, the Agency needs to make significant improvements as noted below.\n                                           c. The Agency has not established an account and identity management program.\n7a. If b. checked above, check areas       7a(1) Account management policy is not fully developed.\n    that need significant              \xef\x83\xbc   7a(2) Account management procedures are not fully developed, sufficiently detailed or consistently implemented.\n    improvement:                           7a(3) Active directory is not properly implemented (NIST 800-53, AC-2).\n                                           7a(4) Other non-Microsoft account management software is not properly implemented (NIST 800-53, AC-2).\n                                           7a(5) Agency cannot identify all User and Non-User accounts (NIST 800-53, AC-2).\n                                           7a(6) Accounts are not properly issued to new users (NIST 800-53, AC-2).\n                                       \xef\x83\xbc   7a(7) Accounts are not properly terminated when users no longer require access (NIST 800-53, AC-2).\n\n\n\n                                                                                                                                                    Page 42\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                           Appendix II\n\n                                              7a(8) Agency does not use multi-factor authentication when required (NIST 800-53, IA-2).\n                                              7a(9) Agency has not adequately planned for implementation of PIV for logical access (HSPD-12, FIPS 201,\n                                                      OMB M-05-24, OMB M-07-06, OMB M-08-01).\n                                              7a(10) Privileges granted are excessive or result in capability to perform conflicting functions (NIST 800-53, AC-\n                                        \xef\x83\xbc             2, AC-6).\n                                              7a(11) Agency does not use dual accounts for administrators (NIST 800-53, AC-5, AC-6).\n                                              7a(12) Network devices are not properly authenticated (NIST 800-53, IA-3).\n                                        \xef\x83\xbc 7a(13) Other\n                                                      Explanation for Other: Treasury OIG:\n                                                      Review of Inactive Accounts and Annual Reviews Are Not Being Consistently Conducted\n                                                      Physical Access to Restricted Areas Is Not Properly Reviewed and Administered\n  Comments: Treasury OIG: BEP did not document its reviews of user accounts for the selected system in accordance with their system security plan. DO\xe2\x80\x99s\n  first system reviewed did not disable users after 90 days of inactivity. OCC\xe2\x80\x99s system reviewed lacked an automated capability to disable inactive account per\n  their policy. OIG\xe2\x80\x99s system reviewed had accounts that had not been disabled after 90 days of inactivity. OTS did not review user access to the system\n  reviewed on a regular basis. FinCEN\xe2\x80\x99s physical access to their data center was not reviewed annually. The OIG\xe2\x80\x99s physical access to their data center was not\n  reviewed annually.\n\n  TIGTA: The IRS has not completed corrective actions to resolve the component of the IRS computer security material weakness relating to access controls.\n  While the IRS\xe2\x80\x99s corrective action plan for this material weakness indicates progress has been made, corrective actions are still ongoing to ensure that effective\n  access controls are implemented IRS-wide. In July 2009, the TIGTA reported that, in a sample of 7 IRS systems, 53 of 376 contractors had active user\n  accounts but did not have a business need to access these systems. The TIGTA also identified 15 contractors whose system access was not deleted in a timely\n  manner upon separation from the contract with the IRS. In addition, in March 2010, the TIGTA reported that a system was not configured to remove user\n  accounts in accordance with IRS security policy. In July 2009, the TIGTA reported that, from a sample of 7 IRS systems, 12 system development contractors\n  had access and full privileges to the production environment of the system on which they worked, in violation of the IRS policy on separation of duties. In\n  addition, 39 system administration contractors also had database administrator privileges. In addition, in March 2010, the TIGTA reported that 6 of 109\n  sampled employees\xe2\x80\x99 system privileges on the Automated Collection System were not restricted to only those privileges needed to perform assigned duties. In\n  addition, 58 employees had unneeded privileges that allowed them the authority to create, modify, or delete the system audit trails.\n\nS8: Continuous Monitoring Management\nStatus of Continuous Monitoring              a.   The Agency has established an entity-wide continuous monitoring program that assesses the security state of\nProgram [check one]                               information systems that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements. Although\n                                                  improvement opportunities may have been identified by the OIG, the program includes the following\n\n\n\n\n                                                                                                                                                            Page 43\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                               Appendix II\n\n                                          attributes:\n                                          1. Documented policies and procedures for continuous monitoring.\n                                          2. Documented strategy and plans for continuous monitoring, such as vulnerability scanning, log monitoring,\n                                               notification of unauthorized devices, sensitive new accounts, etc.\n                                          3. Ongoing assessments of selected security controls (system-specific, hybrid, and common) that have been\n                                               performed based on the approved continuous monitoring plans.\n                                          4. Provides system authorizing officials and other key system officials with security status reports covering\n                                               updates to security plans and security assessment reports, as well as POA&M additions.\n                                      b. The Agency has established an entity-wide continuous monitoring program that assesses the security state of\n                                  \xef\x83\xbc       information systems. However, the Agency needs to make significant improvements as noted below.\n                                      c. The Agency has not established a continuous monitoring program.\n8a. If b. checked above, check        8a(1) Continuous monitoring policy is not fully developed.\n    areas that need significant       8a(2) Continuous monitoring procedures are not fully developed or consistently implemented.\n    improvement:                      8a(3) Strategy or plan has not been fully developed for entity-wide continuous monitoring (NIST 800-37).\n                                      8a(4) Ongoing assessments of selected security controls (system-specific, hybrid, and common) have not been\n                                              performed (NIST 800-53, NIST 800-53A).\n                                      8a(5) The following were not provided to the system authorizing official or other key system officials: security\n                                              status reports covering continuous monitoring results, updates to security plans, security assessment\n                                              reports, and POA&Ms (NIST 800-53, NIST 800-53A).\n                                      8a(6) Other: TIGTA:\n                                  \xef\x83\xbc           The IRS has not resolved its computer security material weakness relating to audit logging.\n                                              Explanation for Other:\n                                              Treasury OIG: BEP did not document reviews of audit logs for the system we reviewed in accordance\n                                              with NIST SP 800-53 and Treasury policy.\n\n                                             TIGTA:\n                                             The IRS corrective action plan for resolving the audit logging component of the IRS computer security\n                                             material weakness indicates that there are still ongoing corrective actions. Until corrective actions are\n                                             completed, the IRS cannot effectively monitor key networks and systems to identify unauthorized activities\n                                             and inappropriate system configurations.\n                                             In July 2010, the TIGTA reported that the IRS has not taken sufficient actions or allocated sufficient\n                                             resources to resolve the audit trail material weakness. Our review of 20 major systems found that events\n                                             were not being adequately captured and reviewed on many databases, applications, and operating systems\n                                             because: 1) very few systems have audit plans, 2) the IRS did not have adequate event capturing and report\n                                             generating software tools, 3) audit reports were not being generated, and 4) the IRS determined that\n                                             capturing required events could hurt system performance.\n\n\n\n                                                                                                                                                Page 44\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                     Appendix II\n\nS9: Contingency Planning\nStatus of Contingency Planning             a.   The Agency established and is maintaining an entity-wide business continuity/disaster recovery program that\nProgram [check one]                             is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements. Although improvement opportunities\n                                                may have been identified by the OIG, the program includes the following attributes:\n                                                1. Documented business continuity and disaster recovery policy providing the authority and guidance\n                                                     necessary to reduce the impact of a disruptive event or disaster.\n                                                2. The agency has performed an overall Business Impact Assessment.\n                                                3. Development and documentation of division, component, and IT infrastructure recovery strategies, plans,\n                                                     and procedures.\n                                                4. Testing of all system-specific contingency plans.\n                                                5. The documented business continuity and disaster recovery plans are ready for implementation.\n                                                6. Development of training, testing, and exercises (TT&E) approaches.\n                                                7. Performance of regular ongoing testing or exercising of continuity/disaster recovery plans to determine\n                                                     effectiveness and to maintain current plans.\n                                           b. The Agency has established and is maintaining an entity-wide business continuity/disaster recovery program.\n                                       \xef\x83\xbc       However, the Agency needs to make significant improvements as noted below.\n                                           c. The Agency has not established a business continuity/disaster recovery program.\n9a. If b. checked above, check areas       9a(1) Contingency planning policy is not fully developed.\n    that need significant                  9a(2) Contingency planning procedures are not fully developed or consistently implemented.\n    improvement:                           9a(3) An overall business impact assessment has not been performed (NIST SP 800-34).\n                                           9a(4) Development of organization, component, or infrastructure recovery strategies and plans has not been\n                                                  accomplished (NIST SP 800-34).\n                                           9a(5) A business continuity/disaster recovery plan has not been developed (FCD1, NIST SP 800-34).\n                                           9a(6) A business continuity/disaster recovery plan has been developed, but not fully implemented (FCD1, NIST\n                                                  SP 800-34).\n                                           9a(7) System contingency plans missing or incomplete (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                           9a(8) Critical systems contingency plans are not tested (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                           9a(9) Training, testing, and exercises approaches have not been developed (FCD1, NIST SP 800-34, NIST SP\n                                                  800-53).\n                                           9a(10) Training, testing, and exercises approaches have been developed, but are not fully implemented (FCD1,\n                                                  NIST SP 800-34, NIST SP 800-53).\n                                           9a(11) Disaster recovery exercises were not successful (NIST SP 800-34).\n                                           9a(12) After-action plans did not address issues identified during disaster recovery exercises (FCD1, NIST SP\n                                                  800-34).\n                                           9a(13) Critical systems do not have alternate processing sites (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                           9a(14) Alternate processing sites are subject to same risks as primary sites (FCD1, NIST SP 800-34, NIST SP 800-\n                                                  53).\n\n\n\n                                                                                                                                                     Page 45\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                              Appendix II\n\n                                      9a(15)   Backups of information are not performed in a timely manner (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                      9a(16)   Backups are not appropriately tested (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                      9a(17)   Backups are not properly secured and protected (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                      9a(18)   Other: TIGTA:\n                                  \xef\x83\xbc            The IRS has made significant progress, but has not resolved its material weakness relating to disaster\n                                               recovery controls.\n                                               Explanation for Other: TIGTA:\n                                               The IRS has not yet fully implemented adequate processes to ensure disaster recovery capabilities are\n                                               implemented IRS-wide. While the IRS\xe2\x80\x99s material weakness corrective action plan indicates progress has\n                                               been made in mitigating disaster recovery issues, corrective actions are still ongoing.\n  Comments:\n\n\n\n\n                                                                                                                                               Page 46\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                 Appendix II\n\n\nS10: Contractor Systems\nStatus of Agency Program to           a.  The Agency has established and maintains a program to oversee systems operated on its behalf by contractors\nOversee Contractor Systems                or other entities. Although improvement opportunities may have been identified by the OIG, the program\n[check one]                               includes the following attributes:\n                                          1. Documented policies and procedures for information security oversight of systems operated on the\n                                               Agency\xe2\x80\x99s behalf by contractors or other entities of the Agency obtains sufficient assurance that security\n                                               controls of systems operated by contractors or others on its behalf are effectively implemented and comply\n                                               with federal and agency guidelines.\n                                          2. A complete inventory of systems operated on the Agency\xe2\x80\x99s behalf by contractors or other entities.\n                                          3. The inventory identifies interfaces between these systems and Agency-operated systems.\n                                          4. The agency requires agreements (MOUs, Interconnect Service Agreements, contracts, etc.) for interfaces\n                                               between these systems and those that it owns and operates.\n                                          5. The inventory, including interfaces, is updated at least annually.\n                                          6. Systems that are owned or operated by contractors or entities are subject to and generally meet NIST and\n                                               OMB\xe2\x80\x99s FISMA requirements.\n                                      b. The Agency has established and maintains a program to oversee systems operated on its behalf by contractors\n                                  \xef\x83\xbc       or other entities. However, the Agency needs to make significant improvements as noted below.\n                                      c. The Agency does not have a program to oversee systems operated on its behalf by contractors or other entities.\n10a.If (b) checked above, check       10a(1) Policies to oversee systems operated on the Agency\xe2\x80\x99s behalf by contractors or other entities are not fully\n    areas that need significant               developed.\n    improvement:                      10a(2) Procedures to oversee systems operated on the Agency\xe2\x80\x99s behalf by contractors or other entities are not fully\n                                              developed or consistently implemented.\n                                  \xef\x83\xbc   10a(3) The inventory of systems owned or operated by contractors or other entities is not sufficiently complete.\n                                      10a(4) The inventory does not identify interfaces between contractor/entity-operated systems to Agency-owned\n                                              and operated systems.\n                                      10a(5) The inventory of contractor/entity-operated systems, including interfaces, is not updated at least annually.\n                                      10a(6) Systems owned or operated by contractors and entities are not subject to NIST and OMB\xe2\x80\x99s FISMA\n                                              requirements (e.g., certification and accreditation requirements).\n                                      10a(7) Systems owned or operated by contractors and entities do not meet NIST and OMB\xe2\x80\x99s FISMA requirements\n                                              (e.g., certification and accreditation requirements).\n                                      10a(8) Interface agreements (e.g., MOUs) are not properly documented, authorized, or maintained,\n                                      10a(9) Other\n                                              Explanation for Other:\n\n\n\n\n                                                                                                                                                  Page 47\n\x0cThe Department of the Treasury\xe2\x80\x99s Consolidated Response to OMB\xe2\x80\x99s FISMA 2010 Questions for Inspectors General                                       Appendix II\n\n  Comments: TIGTA: The IRS was unable to provide the TIGTA a definitive inventory of contractor managed systems and agreed that this inventory required\n  improvement. In May 2010, the TIGTA reported that current processes were not effective at identifying all contractors who receive IRS taxpayer data and\n  therefore are subject to required security reviews. The IRS has implemented an automated mechanism to identify all contractors that have access to sensitive\n  data. This information will be available to target sites for security reviews during the Fiscal Year 2012 review cycle. The IRS stated it will also use this\n  information to determine which of these meet the definition of a contractor system.\n\n\n\n\n                                                                                                                                                        Page 48\n\x0cThe Department of the Treasury FISMA Performance Audit - 2010                                Appendix III\n\nAPPENDIX III \xe2\x80\x93 APPROACH TO SELECTION OF SUBSET OF SYSTEMS\n\nIn Fiscal Year (FY) 2010, KPMG employed a risk-based approach to select a representative subset of\nUnited States Department of the Treasury (Treasury) information systems for the Federal Information\nSecurity Management Act (FISMA) audit. KPMG used the system inventory contained within Treasury\xe2\x80\x99s\nTrusted Agent FISMA (TAF) to identify the population and stratified the population by bureau and office\nto select a representative subset of non-IRS Treasury applications. KPMG performed procedures\nthroughout the fieldwork phase to determine the completeness and accuracy of the non-IRS Treasury\ninventory of information systems.\n\nBased on historical trends in the Treasury systems inventory and past reviews, KPMG selected 13.5\npercent of Treasury\xe2\x80\x99s non-IRS information systems. KPMG selected the representative subset of non-IRS\ninformation systems from TAF on April 14, 2010, prior to the Treasury\xe2\x80\x99s FISMA year-end on June 30,\n2010. This advanced selection allowed KPMG sufficient time to complete planning and prepare for the\nfieldwork phase, which commenced immediately after Treasury\xe2\x80\x99s FISMA year-end.\n\nIn selecting the subset, KPMG stratified the full population of Treasury major applications and general\nsupport systems by bureau and by Federal Information Processing Standards (FIPS) 199 system impact\nlevel. KPMG used a risk-based approach to select systems out of each stratum. KPMG considered the\nfollowing factors to select systems:\n\n\xef\x82\xb7   Total number of systems per bureau\n\xef\x82\xb7   Systems at smaller bureaus not historically included in FISMA audits or evaluations\n\xef\x82\xb7   Number of systems at each bureau with a FIPS system impact level of \xe2\x80\x9cHigh\xe2\x80\x9d\n\xef\x82\xb7   Date of the system\xe2\x80\x99s Authority to Operate\n\xef\x82\xb7   Number of open issues per system\n\xef\x82\xb7   Number of issues recently closed per system\n\xef\x82\xb7   Number of issues identified in previous FISMA audits, FISMA evaluations, and other recent Office of\n    the Inspector General reviews, and the\n\xef\x82\xb7   Availability of users to access the system using the Internet.\n\nLastly, the total number of financial systems selected in the representative subset did not exceed the\npercentage of systems the financial systems represent in the Treasury inventory of information systems.\nKPMG defined financial systems as those information systems that were designated as \xe2\x80\x9cFinancial\xe2\x80\x9d\nsystems in the Treasury\xe2\x80\x99s TAF system.\n\nBased on KPMG\xe2\x80\x99s analysis of the Treasury inventory of information systems as of April 14, 2010, we\nnoted Treasury\xe2\x80\x99s inventory included 186 major applications and general support systems. The following\ntable provides KPMG\xe2\x80\x99s analysis of the composition of the Treasury\xe2\x80\x99s inventory of major applications and\ngeneral support systems.\n\n                                   Total         IRS      Non-IRS  Non-IRS Financial Systems\n     Major Applications                    133         53       80                         39\n     General Support Systems                53         21       32                          4\n     Total                                 186         74      112                         43\n\nFrom the analysis above, KPMG determined that IRS systems comprised 40 percent of the total\npopulation of Major Applications and General Support systems, and Non-IRS systems accounted for 60\n\n\n\n                                                                                                   Page 49\n\x0cThe Department of the Treasury FISMA Performance Audit - 2010                                                 Appendix III\n\npercent. Applying the subset size percentage of 13.5 percent to the total population of 186 yielded a total\nsubset size of 25 systems. When the IRS to Non-IRS weighting was applied to this total, the resulting\nsizes for the IRS and Non-IRS subsets were 10 and 15, respectively.\n\nKPMG considered the ratio of Major Applications and General Support Systems as well as the ratio of\nfinancial to non-financial information systems. Considering these ratios, KPMG judgmentally selected a\nrepresentative subset of information systems for testing during the 2010 FISMA audit. Based on these\nfactors, KPMG determined the following composition for the representative subset of Non-IRS Major\nApplications and General Support Systems for the FY 2010 FISMA audit:\n\n     Total Selected                                                                                           15\n     Total Major Applications                                                                                 9\n     Total General Support Systems                                                                            6\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cHigh\xe2\x80\x9d                                              6\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cModerate\xe2\x80\x9d                                          9\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cLow\xe2\x80\x9d                                               0\n     Total Systems Designated as Financial                                                                    6\n\nKPMG further stratified the number of information systems by each bureau to determine the total\npercentage of information systems at each Non-IRS bureau, based on the total population of all Non-IRS\ninformation systems. KPMG used this information as a baseline to determine the total number of systems\nto select at each bureau or office:\n\n        Bureau            Total Systems          Percentage of Total Non-IRS               Total Number of Non-\n                                                         Population                          IRS Systems to be\n                                                                                                   Selected\n     BEP                          5                             4%                                    1\n     BPD                         14                            13%                                    2\n     CDFI Fund                    3                             3%                              1 (see note 1)\n     DO                          23                            21%                                    2\n     FinCEN                       5                             4%                                    1\n     FMS                         31                            28%                                    3\n     Mint                        10                            9%                                     1\n     OCC                         9                             8%                                     1\n     OIG                         1                             1%                           1 (see notes 1 and 2)\n     OTS                         7                             6%                                     1\n     TIGTA                       2                             2%                               0 (see note 2)\n     TTB                         2                             2%                               1 (see note 1)\n     Total                      112                        100% (note 3)                              15\n       (Note 1: Using the stratification methodology, we initially did not select a system at these agencies. However, \n\n       using our risk-based methodology, KPMG selected at least one system for each of these bureaus.)\n\n       (Note 2: A decision was made by the OIG to inspect only one (1) OIG system every year.)\n\n       (Note 3: Percentages do not sum to 100% due to rounding.)\n\n\n\n\n\n                                                                                                                      Page 50\n\x0cThe Department of the Treasury FISMA Performance Audit - 2010                                   Appendix IV\n\nAPPENDIX IV \xe2\x80\x93 SELECTED SECURITY CONTROL CLASSES AND FAMILIES\n\nFederal Information Security Management Act (FISMA) directs the National Institute of Standards and\nTechnology (NIST) to develop and issue standards, guidelines, and other publications to assist federal\nagencies in defining minimum security requirements for non-national security systems used by agencies.\nNIST has developed such standards and guidelines as part of its implementation of FISMA. KPMG based\nits security evaluation on the security controls defined within NIST Special Publication 800-53 Revision\n2, Recommended Security Control for the Federal Information Systems. NIST publications define a\nframework for protecting the confidentiality, integrity, and availability of federal information and\ninformation systems consisting of three general classes of controls (i.e., management, operational, and\ntechnical).\n\nTables on the following pages delineate the specific security controls KPMG performed in accordance\nwith NIST Special Publication 800-53. KPMG selected specific test procedures that were applicable to\nthe computing environment; therefore, not all available security controls within each control family were\nperformed.\n\nManagement Controls\n\nManagement security controls for information systems focus on the management of risk and the\nmanagement of information system security.\n\nKPMG assessed the following management control areas:\n\n    \xef\x82\xb7   Certification, Accreditation, and Security Assessments (CA)\n    \xef\x82\xb7   Planning (PL)\n    \xef\x82\xb7   Risk Assessment (RA)\n    \xef\x82\xb7   System and Services Acquisition (SA)\n\nCertification, Accreditation, and Security Assessments:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) formal, documented,\nsecurity assessment and certification and accreditation policies that address purpose, scope, roles,\nresponsibilities, management commitment, coordination among organizational entities, and compliance\nand (ii) formal, documented procedures to facilitate the implementation of the security assessment,\ncertification and accreditation policies, associated assessment certification, and accreditation controls.\n\n                         Security Controls     Title\n                         CA-2                  Security Assessments\n                         CA-4                  Security Certification\n                         CA-5                  Plan of Action and Milestone\n                         CA-6                  Security Accreditation\n\nPlanning:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\nsecurity planning policy that addresses purpose, scope, roles, responsibilities, management commitment,\ncoordination among organizational entities, and compliance and (ii) formal, documented procedures to\nfacilitate the implementation of the security planning policy and associated security planning controls.\n\n\n\n                                                                                                      Page 51\n\x0cThe Department of the Treasury FISMA Performance Audit - 2010                               Appendix IV\n\n                        Procedure            Title\n                        PL-2                 System Security Plan\n                        PL-3                 System Security Plan Update\n\nRisk Assessment:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented risk\nassessment policy that addresses purpose, scope, roles, responsibilities, management commitment,\ncoordination among organizational entities, and compliance and (ii) formal, documented procedures to\nfacilitate the implementation of the risk assessment policy and associated risk assessment controls.\n\n                        Procedure            Title\n                        RA-2                 Security Categorization\n                        RA-3                 Risk Assessment\n                        RA-5                 Vulnerability Scanning\n\nSystem and Services Acquisition:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\nsystem and services acquisition policy that includes information security considerations and that\naddresses purpose, scope, roles, responsibilities, management commitment, coordination among\norganizational entities, and compliance and (ii) formal, documented procedures to facilitate the\nimplementation of the system and services acquisition policy and associated system and services\nacquisition controls.\n\n                        Procedure            Title\n                        SA-7                 User Installed Software\n\n\nOperational Controls\n\nThe operational controls address security methods that focus on mechanisms that primarily are\nimplemented and executed by people (as opposed to systems).\n\nKPMG assessed the following Operational control areas:\n\n    \xef\x82\xb7   Configuration Management (CM)\n    \xef\x82\xb7   Contingency Planning (CP)\n    \xef\x82\xb7   Maintenance (MA)\n    \xef\x82\xb7   Media Protection (MP)\n    \xef\x82\xb7   Physical and Environmental Protection (PE)\n\nConfiguration Management:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\nconfiguration management policy that addresses purpose, scope, roles, responsibilities, management\ncommitment, coordination among organizational entities, and compliance and (ii) formal, documented\nprocedures to facilitate the implementation of the configuration management policy and associated\nconfiguration management controls.\n\n\n\n                                                                                                  Page 52\n\x0cThe Department of the Treasury FISMA Performance Audit - 2010                               Appendix IV\n\n\n                        Procedure            Title\n                        CM-2                 Baseline Configuration\n\nContingency Planning:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\ncontingency planning policy that addresses purpose, scope, roles, responsibilities, management\ncommitment, coordination among organizational entities, and compliance and (ii) formal, documented\nprocedures to facilitate the implementation of the configuration management policy and associated\nconfiguration management controls.\n\n                        Procedure            Title\n                        CP-2                 Contingency Plan\n                        CP-4                 Contingency Plan Testing and\n                                             Exercises\n                        CP-5                 Contingency Plan Update\n\nMaintenance:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\ninformation system maintenance policy that addresses purpose, scope, roles, responsibilities, management\ncommitment, coordination among organizational entities, and compliance and (ii) formal, documented\nprocedures to facilitate the implementation of the information system maintenance policy and associated\nsystem maintenance controls.\n\n                        Procedure            Title\n                        MA-5                 Maintenance Personnel\n\nMedia Protection:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\ninformation system media protection policy that addresses purpose, scope, roles, responsibilities,\nmanagement commitment, coordination among organizational entities, and compliance and (ii) formal,\ndocumented procedures to facilitate the implementation of the information system media protection\npolicy and associated system media protection controls.\n\n                        Procedure            Title\n                        MP-6                 Media Sanitization and Disposal\n\nPhysical and Environmental Protection:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\ninformation system physical and environmental protection policy that addresses purpose, scope, roles,\nresponsibilities, management commitment, coordination among organizational entities, and compliance\nand (ii) formal, documented procedures to facilitate the implementation of the information system\nphysical and environmental protection policy and associated system physical and environmental\nprotection controls.\n\n\n\n\n                                                                                                 Page 53\n\x0cThe Department of the Treasury FISMA Performance Audit - 2010                                  Appendix IV\n\n                         Procedure            Title\n                         PE-2                 Physical Access Authorizations\n                         PE-3                 Physical Access Control\n\n\nTechnical Controls\n\nTechnical security controls for information systems focus on information systems that are primarily\nimplemented and executed by the information system through mechanisms contained in the hardware,\nsoftware, or firmware of the system.\n\nKPMG assessed the following Technical control areas:\n\n    \xef\x82\xb7   Access Control (AC)\n    \xef\x82\xb7   Audit and Accountability (AU)\n    \xef\x82\xb7   Identification and Authentication (IA)\n    \xef\x82\xb7   System and Communication Protection (SC)\n\nAccess Control:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\naccess control policy that addresses purpose, scope, roles, responsibilities, management commitment,\ncoordination among organizational entities, and compliance and (ii) formal, documented procedures to\nfacilitate the implementation of the access control policy and associated access controls.\n\n                         Procedure            Title\n                         AC-2                 Account Management\n                         AC-7                 Unsuccessful Login Attempts\n\nAudit and Accountability:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\naudit and accountability policy that addresses purpose, scope, roles, responsibilities, management\ncommitment, coordination among organizational entities, and compliance and (ii) formal, documented\nprocedures to facilitate the implementation of the audit and accountability policy and associated audit and\naccountability controls.\n\n                         Procedure            Title\n                         AU-2                 Auditable Events\n                         AU-6                 Audit Monitoring, Analysis, and\n                                              Reporting\n\nIdentification and Authentication:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\nidentification and authentication policy that addresses purpose, scope, roles, responsibilities, management\ncommitment, coordination among organizational entities, and compliance and (ii) formal, documented\nprocedures to facilitate the implementation of the identification and authentication policy and associated\nidentification and authentication controls.\n\n\n                                                                                                    Page 54\n\x0cThe Department of the Treasury FISMA Performance Audit - 2010                             Appendix IV\n\n\n                       Procedure            Title\n                       IA-2                 User Identification and\n                                            Authentication\n                       IA-4                 Identifier Management\n\nSystem and Communication Protection:\n\nThe organization develops, disseminates, and periodically reviews/updates (i) a formal, documented,\nsystem and communications protection policy that addresses purpose, scope, roles, responsibilities,\nmanagement commitment, coordination among organizational entities, and compliance and (ii) formal,\ndocumented procedures to facilitate the implementation of the system and communications protection\npolicy and associated system and communications protection controls.\n\n                        Procedure           Title\n                        SC-13               Use of Cryptography\n\n\n\n\n                                                                                                Page 55\n\x0cThe Department of the Treasury FISMA Performance Audit - 2010                      Appendix V\n\nAPPENDIX V \xe2\x80\x93 LIST OF ACRONYMS \n\n\n       Acronym                                                Definition\nAC                         Access Control\nACIOCS                     Associate CIO for Cyber Security\nATO                        Authority to Operate\nAU                         Audit and Accountability\nBEP                        Bureau of Engraving and Printing\nBPD                        Bureau of the Public Debt\nCA                         Certification, Accreditation, and Security Assessment\nCDFI                       Community Development Financial Institution\nCIO                        Chief Information Officer\nCIP                        Critical Infrastructure Protection\nCISO                       Chief Information Security Officer\nCM                         Configuration Management\nCP                         Contingency Planning\nCSS                        Cyber Security Sub-Council\nDO                         Departmental Offices\nFDCC                       Federal Desktop Core Configuration\nFinCEN                     Financial Crimes Enforcement Network\nFIPS                       Federal Information Processing Standards\nFISMA                      Federal Information Security Management Act\nFMS                        Financial Management Service\nFY                         Fiscal Year\nGAGAS                      Generally Accepted Government Auditing Standards\nIA                         Identification and Authentication\nIG                         Inspector General\nIRS                        Internal Revenue Service\nISSO                       Information System Security Officer\nIT                         Information Technology\nKPMG                       KPMG LLP\nLAN                        Local Area Network\nMA                         Maintenance\nMint                       United States Mint\nMP                         Media Protection\nNIST                       National Institute of Standards and Technology\nOCC                        Office of the Comptroller of the Currency\nOCIO                       Office of the Chief Information Officer\nOIG                        Office of Inspector General\nOIT                        Office of Information Technology\nOMB                        Office of Management and Budget\n\n\n\n                                                                                       Page 56\n\x0cThe Department of the Treasury FISMA Performance Audit - 2010                            Appendix V\n\n      Acronym                                               Definition\nOPTR                       Office of Privacy and Treasury Records\nOTS                        Office of Thrift Supervision\nPE                         Physical and Environmental Protection\nPII                        Personally Identifiable Information\nPL                         Planning\nPOA&M                      Plan of Action and Milestones\nRA                         Risk Assessment\nSA                         System and Services Acquisition\nSC                         System and Communication Protection\nSCAP                       Security Content Automation Protocol\nSIGTARP                    Special Inspector General for Troubled Asset Relief Program\nTAF                        Trusted Agent FISMA\nTARP                       Troubled Asset Relief Program\nTCIO                       Treasury Chief Information Officer\nTCSIRC                     Treasury Computer Security Incident Response Capability\nTD                         Treasury Directive\nTD P                       Treasury Directive Publication\nTIGTA                      Treasury Inspector General for Tax Administration\nTTB                        Alcohol and Tobacco Tax and Trade Bureau\nUS                         United States\n\n\n\n\n                                                                                             Page 57\n\x0c            ATTACHMENT 2\n\n     Treasury Inspector General for Tax\n Administration\xe2\x80\x93Federal Information Security\nManagement Act Report for Fiscal Year 2010,\n(Audit # 2011-20-003), November 10, 2010\n\x0cTREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION \n\n\n\n\n\n                    Treasury Inspector General for Tax \n\n                Administration \xe2\x80\x93 Federal Information Security \n\n                Management Act Report for Fiscal Year 2010 \n\n\n\n\n                                       November 10, 2010\n\n                              Reference Number: 2011-20-003\n\n\n\n\n  This report remains the property of the Treasury Inspector General for Tax Administration (TIGTA) and\n   may not be disseminated beyond the Internal Revenue Service without the permission of the TIGTA.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY \n\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             November 10, 2010\n\n\n MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL FOR AUDIT\n                OFFICE OF THE INSPECTOR GENERAL\n                DEPARTMENT OF THE TREASURY\n\n FROM:\t                       Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:\t                    Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                              Information Security Management Act Report for Fiscal Year 2010\n                              (Audit # 201020010)\n\n We are pleased to submit the Treasury Inspector General for Tax Administration\xe2\x80\x99s Federal\n Information Security Management Act (FISMA) 1 report for the Fiscal Year 2010 FISMA\n evaluation period. 2 The FISMA requires the Office of Inspector General to perform an annual\n independent evaluation of each Federal agency\xe2\x80\x99s information security policies, procedures, and\n practices, as well as evaluate its compliance with FISMA requirements. This report reflects our\n independent evaluation of the Internal Revenue Service\xe2\x80\x99s (IRS) information technology security\n program for the period under review.\n We based our evaluation of the IRS on the Office of Management and Budget\xe2\x80\x99s (OMB) FISMA\n 2010 Reporting Guidelines. During the 2010 evaluation period, we conducted 10 audits, as\n shown in Appendix II, to evaluate the adequacy of information security in the IRS. We\n considered the results of these audits in our evaluation. In addition, we evaluated a\n representative sample of 10 major IRS information systems for our FISMA work. For each\n system in the sample, we assessed the quality of the certification and accreditation process, the\n annual testing of controls for continuous monitoring, the testing of information technology\n contingency plans, and the quality of the Plan of Action and Milestones process. We also\n conducted tests to evaluate processes over configuration management, incident response and\n\n\n 1\n  44 U.S.C. \xc2\xa7\xc2\xa7 3541\xe2\x80\x933549. \n\n 2\n  The Fiscal Year 2010 FISMA evaluation period for the Department of the Treasury is July 1, 2009, through\n\n June 30, 2010. All subsequent references to 2010 refer to the FISMA evaluation period.\n\n\x0c                        Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                           Federal Information Security Management Act \n\n                                    Report for Fiscal Year 2010\n\n\n\nreporting, security training, remote access, account and identity management, and contractor\noversight.\nIncluded in Appendix I are our responses to the OMB\xe2\x80\x99s 2010 FISMA checklist for the Inspectors\nGeneral. Major contributors to this report are listed in Appendix III.\nBased on our 2010 evaluation, we determined that the IRS\xe2\x80\x99s information security program was\ngenerally compliant with the FISMA legislation, OMB information security requirements, and\nrelated information security standards published by the National Institute of Standards and\nTechnology. We determined that the following program areas met the level of performance\nspecified by the OMB\xe2\x80\x99s 2010 FISMA checklist.\n    \xe2\x80\xa2   Certification and accreditation program.\n    \xe2\x80\xa2   Incident response and reporting program.\n    \xe2\x80\xa2   Remote access management.\nWhile the information security program was generally compliant with the FISMA legislation, the\nprogram was not fully effective as a result of the conditions identified in the following areas.\n    \xe2\x80\xa2   Configuration management.\n    \xe2\x80\xa2   Security training.\n    \xe2\x80\xa2   Plans of action and milestones.\n    \xe2\x80\xa2   Identity and access management.\n    \xe2\x80\xa2   Continuous monitoring management.\n    \xe2\x80\xa2   Contingency planning.\n    \xe2\x80\xa2   Contractor systems/financial audit.\nSpecific to the financial audit area, the Government Accountability Office (GAO) reported 3\nnewly identified and unresolved information security control weaknesses in key financial and tax\nprocessing systems continue to jeopardize the confidentiality, integrity, and availability of\nfinancial and sensitive taxpayer information. Until these control weaknesses are corrected, the\nIRS remains unnecessarily vulnerable to insider threats related to the unauthorized access to and\ndisclosure, modification, or destruction of financial and taxpayer information, as well as the\ndisruption of system operations and services. These conditions were the basis for GAO\xe2\x80\x99s\ndetermination that the IRS had a material weakness in internal controls over financial reporting\nrelated to information security in Fiscal Year 2009.\n\n3\n INFORMATION SECURITY: IRS Needs to Continue to Address Significant Weaknesses (GAO-10-355, dated\nMarch 2010).\n                                                                                                    2\n\x0c                      Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                         Federal Information Security Management Act \n\n                                  Report for Fiscal Year 2010\n\n\n\nCopies of this report are also being sent to the IRS managers affected by the report results.\nPlease contact me at (202) 622-6510 if you have questions or Alan R. Duncan, Assistant\nInspector General for Audit (Security and Information Technology Services), at (202) 622-5894.\n\n\n\n\n                                                                                             3\n\x0c                                  Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                     Federal Information Security Management Act \n\n                                              Report for Fiscal Year 2010\n\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1 \n\n\nAppendices\n          Appendix I \xe2\x80\x93 Results of the Treasury Inspector General for\n          Tax Administration\xe2\x80\x99s Federal Information Security\n          Management Act Review .............................................................................. Page 2\n          Appendix II \xe2\x80\x93 Treasury Inspector General for Tax Administration\n          Information Technology Security Reports Issued During the\n          2010 Evaluation Period ................................................................................. Page 21\n          Appendix III \xe2\x80\x93 Major Contributors to This Report....................................... Page 22 \n\n          Appendix IV \xe2\x80\x93 Report Distribution List ....................................................... Page 23 \n\n\x0c          Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n             Federal Information Security Management Act \n\n                      Report for Fiscal Year 2010\n\n\n\n\n\n                    Abbreviations\n\nCIO          Chief Information Officer\nFCD1         Federal Continuity Directive 1\nFDCC         Federal Desktop Core Configuration\nFIPS         Federal Information Processing Standards\nFISMA        Federal Information Security Management Act\nGAO          Government Accountability Office\nHSPD         Homeland Security Presidential Directive\nIRS          Internal Revenue Service\nMOU          Memorandum of Understanding\nNIST         National Institute of Standards and Technology\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nPIV          Personal Identity Verification\nPOA&M        Plan of Action and Milestones\nTIGTA        Treasury Inspector General for Tax Administration\nTT&E         Training, Testing, and Exercises\nUS-CERT      United States Computer Emergency Response Team\n\x0c                              Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                 Federal Information Security Management Act \n\n                                          Report for Fiscal Year 2010\n\n\n\n\n\n                                       Background\n\nThe Internal Revenue Service (IRS) collects and maintains a significant amount of personal and\nfinancial information on each taxpayer. The IRS also relies extensively on computerized\nsystems to support its responsibilities in collecting taxes, processing tax returns, and enforcing\nthe Federal tax laws. As custodians of taxpayer information, the IRS has an obligation to protect\nthe confidentiality of this sensitive information against unauthorized access or loss. Otherwise,\ntaxpayers could be exposed to invasion of privacy and financial loss or damage from identity\ntheft or other financial crimes.\nThe Federal Information Security Management Act (FISMA) 1 was enacted to strengthen the\nsecurity of information and systems within Federal agencies. As part of this legislation, each\nFederal Government agency is required to report annually to the Office of Management and\nBudget (OMB) on the effectiveness of its security programs. In addition, the FISMA requires\nthe Offices of Inspector General to perform an annual independent evaluation of each Federal\nagency\xe2\x80\x99s information security policies and procedures, as well as evaluate its compliance with\nFISMA requirements. In compliance with the FISMA requirements, the Treasury Inspector\nGeneral for Tax Administration (TIGTA) performs the annual independent evaluation of the\ninformation security program and practices of the IRS.\nThe OMB provides information security performance measures by which each agency is\nevaluated for the FISMA review. The OMB uses the information from the agencies and\nindependent evaluations to help assess agency-specific and Federal Governmentwide security\nperformance, develop its annual security report to Congress, and assist in improving and\nmaintaining adequate agency security performance.\nAttached is the TIGTA\xe2\x80\x99s Fiscal Year 2010 FISMA report. The report was forwarded to the\nTreasury Inspector General for consolidation into a report issued to the Department of the\nTreasury Chief Information Officer.\n\n\n\n\n1\n    44 U.S.C. \xc2\xa7\xc2\xa7 3541\xe2\x80\x933549.\n                                                                                           Page 1\n\x0c                              Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                 Federal Information Security Management Act \n\n                                          Report for Fiscal Year 2010\n\n\n\n                                                                                                    Appendix I\n\n        Results of the Treasury Inspector General for \n\n          Tax Administration\xe2\x80\x99s Federal Information \n\n             Security Management Act Review1\n\n\nThe OMB issued a checklist for use by Offices of Inspectors General to assess the level of\nperformance achieved by agencies in the specified program areas during the 2010 FISMA\nevaluation period. This appendix presents our completed OMB checklist for the IRS.\nWe determined the level of performance (a, b, or c) that the IRS had achieved for each of the\nprogram areas listed. As defined by the OMB, agencies achieve an \xe2\x80\x9ca\xe2\x80\x9d status for the program\narea if they have met all the attributes specified by OMB in the \xe2\x80\x9ca\xe2\x80\x9d section. Agencies achieve a\n\xe2\x80\x9cb\xe2\x80\x9d status if they have established the program area, but significant improvements were needed.\nThe OMB listed conditions in the \xe2\x80\x9cb\xe2\x80\x9d section that, if in need of significant improvement, would\nprevent agencies from achieving an \xe2\x80\x9ca\xe2\x80\x9d status. Agencies achieve a \xe2\x80\x9cc\xe2\x80\x9d status if they have not yet\nestablished the program area.\nWe checked IRS program areas as an \xe2\x80\x9ca\xe2\x80\x9d status where we determined that the IRS met all the\nprogram attributes specified by the OMB. We checked IRS program areas as a \xe2\x80\x9cb\xe2\x80\x9d status where\nwe determined that one or more conditions listed by the OMB needed significant improvement at\nthe IRS. Due to time and resource constraints, we were not able to test all conditions listed by\nthe OMB in the \xe2\x80\x9cb\xe2\x80\x9d sections. Therefore, it is possible that more of these conditions exist at the\nIRS than those we have checked. We did not check any program areas as a \xe2\x80\x9cc\xe2\x80\x9d status because\nthe IRS has established all program areas listed by the OMB.\nFor our FISMA work, we evaluated a representative sample of 10 major IRS information\nsystems, which included 9 IRS systems and 1 contractor-managed system. Of these 10 systems,\n1 system had a Federal Information Processing Standards (FIPS) 199 impact level of high, and\n9 systems were of a moderate impact level. All 10 systems had a current certification and\naccreditation, had security controls tested within the past year, and had contingency plans tested\nin accordance with policy.\n\n\n\n\n1\n  Due to the nature of the listing that follows, abbreviations are used exactly as presented in the original document\nreproduced and are not defined therein. Please see the Abbreviations page after the Table of Contents of this report\nfor a listing of abbreviations.\n                                                                                                              Page 2\n\x0c                             Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                Federal Information Security Management Act \n\n                                         Report for Fiscal Year 2010\n\n\n\n                              RESPONSES TO FISCAL YEAR 2010\n                          OMB QUESTIONS FOR INSPECTOR GENERALS\nS1: Certification and Accreditation\nStatus of Certification         a.  The Agency has established and is maintaining a certification and\nand Accreditation           9       accreditation program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\nProgram [check one]                 FISMA requirements. Although improvement opportunities may have been\n                                    identified by the OIG, the program includes the following attributes:\n                                    1.\t Documented policies and procedures describing the roles and\n                                        responsibilities of participants in the certification and accreditation\n                                        process.\n                                    2.\t Establishment of accreditation boundaries for Agency information\n                                        systems.\n                                    3. Categorizes information systems.\n                                    4. Applies applicable minimum baseline security controls.\n                                    5. Assesses risks and tailors security control baseline for each system.\n                                    6.\t Assessment of the management, operational, and technical security\n                                        controls in the information system.\n                                    7.\t Risks to Agency operations, assets, or individuals analyzed and\n                                        documented in the system security plan, risk assessment, or an equivalent\n                                        document.\n                                    8.\t The accreditation official is provided (i) the security assessment report\n                                        from the certification agent providing the results of the independent\n                                        assessment of the security controls and recommendations for corrective\n                                        actions; (ii) the plan of action and milestones from the information system\n                                        owner indicating actions taken or planned to correct deficiencies in the\n                                        controls and to reduce or eliminate vulnerabilities in the information\n                                        system; and (iii) the updated system security plan with the latest copy of\n                                        the risk assessment.\n                                b.\t The Agency has established and is maintaining a certification and\n                                    accreditation program. However, the Agency needs to make significant\n                                    improvements as noted below.\n                                c.   The Agency has not established a certification and accreditation program.\n1a. If b. checked above,        1a(1) Certification and accreditation policy is not fully developed.\n    check areas that need\n    significant                 1a(2) Certification and accreditation procedures are not fully developed,\n    improvement:                      sufficiently detailed, or consistently implemented.\n                                1a(3) Information systems are not properly categorized (FIPS 199/SP 800-60).\n                                1a(4)\t Accreditation boundaries for Agency information systems are not\n                                       adequately defined.\n                                1a(5)\t Minimum baseline security controls are not adequately applied to\n                                       information systems (FIPS 200/SP 800-53).\n                                1a(6) Risk assessments are not adequately conducted (SP 800-30).\n                                1a(7)\t Security control baselines are not adequately tailored to individual\n                                       information systems (SP 800-30).\n\n\n                                                                                                              Page 3\n\x0c                            Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                               Federal Information Security Management Act \n\n                                        Report for Fiscal Year 2010\n\n\n\n                                1a(8) Security plans do not adequately identify security requirements\n                                      (SP 800-18).\n                                1a(9) Inadequate process to assess security control effectiveness (SP 800-53A).\n                                1a(10) Inadequate process to determine risk to Agency operations, Agency assets,\n                                       or individuals or to authorize information systems to operate (SP 800-37).\n                                1a(11) Inadequate process to continuously track changes to information systems\n                                       that may necessitate reassessment of control effectiveness (SP 800-37).\n                                1a(12) Other.\n\n                                Explanation for Other:\nComments:\n\nS2: Configuration Management\nStatus of Security              a. The Agency has established and is maintaining a security configuration\nConfiguration                      management program that is generally consistent with NIST's and OMB's\nManagement Program                 FISMA requirements. Although improvement opportunities may have been\n[check one]                        identified by the OIG, the program includes the following attributes:\n                                   1. Documented policies and procedures for configuration management.\n                                   2. Standard baseline configurations.\n                                   3. Scanning for compliance and vulnerabilities with baseline configurations.\n                                   4.\t FDCC baseline settings fully implemented and/or any deviations from\n                                       FDCC baseline settings fully documented.\n                                   5. Documented proposed or actual changes to the configuration settings.\n                                   6. Process for the timely and secure installation of software patches.\n                                b. The Agency has established and is maintaining a security configuration\n                          9        management program. However, the Agency needs to make significant\n                                   improvements as noted below.\n                                c. The Agency has not established a security configuration management\n                                   program.\n2a. If b. checked above,        2a(1) Configuration management policy is not fully developed.\n    check areas that need \n\n    significant\n            9   2a(2) Configuration management procedures are not fully developed or\n    improvement:                      consistently implemented.\n                                2a(3) Software inventory is not complete (NIST 800-53: CM-8).\n                                2a(4)\t Standard baseline configurations are not identified for all software\n                                       components (NIST 800-53: CM-8).\n                                2a(5) Hardware inventory is not complete (NIST 800-53: CM-8).\n                                2a(6) Standard baseline configurations are not identified for all hardware\n                                      components (NIST 800-53: CM-2).\n                                2a(7) Standard baseline configurations are not fully implemented\n                                      (NIST 800-53: CM-2).\n                                2a(8) FDCC is not fully implemented (OMB) and/or all deviations are not fully\n                                      documented.\n                                2a(9) Software scanning capabilities are not fully implemented\n                                      (NIST 800-53: RA-5, SI-2).\n\n                                                                                                              Page 4\n\x0c                                  Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                     Federal Information Security Management Act \n\n                                              Report for Fiscal Year 2010\n\n\n\n                                9 2a(10) Configuration-related vulnerabilities have not been remediated in a timely\n                                             manner (NIST 800-53: CM-4, CM-6, RA-5, SI-2).\n                                9     2a(11) Patch management process is not fully developed (NIST 800-53: CM-3,\n                                             SI-2).\n                                      2a(12) Other.\n\n                                      Explanation for Other:\nComments:\n2a(2): The IRS has not completed corrective actions to resolve the software configuration management component\nof the IRS computer security material weakness. 2 Although the IRS has made progress in implementing its\nconfiguration management program, the IRS corrective action plan for resolving this material weakness indicates\nongoing corrective actions with scheduled completion dates ranging from April to December 2011. Until the IRS\nhas implemented adequate configuration management controls Agencywide, it cannot ensure the security and\nintegrity of system programs, files, and data.\n     \xe2\x80\xa2    1-3-20: Ensure security configuration requirements for all system software are documented in an IRS\n          Internal Revenue Manual. (Planned implementation date of April 2011)\n     \xe2\x80\xa2    1-3-21: Implement and maintain baseline standard configurations on system software platforms and\n          perform scheduled testing. This capability covers translation of Internal Revenue Manuals into standard\n          build procedures and implementation/testing processes. (Planned implementation date of April 2011)\n     \xe2\x80\xa2    1-3-22: Ensure system software is controlled under a documented change control process with procedures\n          for assessment of security impact, notifications to Designated Approving Authorities, and appropriate\n          baseline configuration updates. (Planned implementation date of April 2011)\n     \xe2\x80\xa2    1-3-25: Establish and maintain collection and reporting of metrics to assess progress and track\n          improvements in all component activity implementations over time. Successful operation of the policy,\n          procedures, and plans for component activities for at least 2 consecutive quarters. Quarterly reviews by\n          Cybersecurity and annual FISMA security reviews will revalidate compliance. (Planned implementation\n          date of December 2011)\n2a(10): In March 2010, TIGTA reported 3 that the IRS was not timely addressing high- and medium-risk system\nvulnerabilities that it identified on Automated Collection System servers. The IRS UNIX Policy Checker scans that\nthe IRS ran on the servers from January through May 2009 reported that some high- and medium-risk vulnerabilities\nremained on the servers for 2 to 5 months before system administrators took corrective actions.\n\n\n\n2\n  The IRS declared its security program as a material weakness in 1997. The IRS further categorized the material weakness into\nnine areas relating to computer security: (1) network access controls; (2) key computer applications and system access controls;\n(3) software configuration; (4) functional business, operating, and program units security roles and responsibilities; \n\n(5) segregation of duties between system and security administrators; (6) contingency planning and disaster recovery; \n\n(7) monitoring of key networks and systems; (8) security training; and (9) certification and accreditation. An Executive Steering \n\nCommittee oversees the plan, ensuring that material weakness areas are addressed by all affected organizations, appropriate\n\npolicy and procedures are implemented, and actions resolve the systemic cause of the material weakness. The IRS has closed\n\nfour of the material weakness areas: (4) functional business, operating, and program units security roles and responsibilities\n\n(5) segregation of duties between system and security administrators; (8) security training; and (9) certification and accreditation.\n\nThe TIGTA did not concur with the IRS\xe2\x80\x99s closure of area (4), functional business, operating, and program units security roles and \n\nresponsibilities. \n\n3\n  Additional Security Controls Are Needed to Protect the Automated Collection System (Reference Number 2010-20-028, dated\n\nMarch 30, 2010). \n\n\n                                                                                                                           Page 5\n\x0c                             Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                Federal Information Security Management Act \n\n                                         Report for Fiscal Year 2010\n\n\n\nIn addition, during the 2010 FISMA evaluation period, the TIGTA concluded fieldwork on an audit to evaluate IRS\nemail servers and found that the IRS is not taking timely actions to correct medium-risk security vulnerabilities\nidentified through monthly scans on its email servers. The Modernization and Information Technology Services\norganization\xe2\x80\x99s Enterprise Operations office uses the Windows Policy Checker to conduct monthly scans of its\n70 email servers. The scans conducted from September 2009 through February 2010 determined the servers failed\nbetween 73 and 79 medium-risk security checks each month. The number of failed security checks on each server\nwas the same each month.\n2a(11): The IRS computer security material weakness relating to configuration management includes unresolved\nweaknesses in the IRS patch management process. The IRS corrective action plan for resolving the patch\nmanagement weaknesses indicates the following two corrective actions will be completed in April 2011.\n    \xe2\x80\xa2   1-3-23: Ensure system software is patched under a documented process that includes standard procedures\n        and fall-back procedures, ensures patch testing, and ensures the dissemination, installation, and verification\n        of patch installations for all components. (Planned implementation date of April 2011)\n    \xe2\x80\xa2   1-3-24: Internal and external monitoring and reporting on secure configuration setting changes and patch\n        levels. \xe2\x80\x9cReview\xe2\x80\x9d includes comparison to approved changes. \xe2\x80\x9cRemediation\xe2\x80\x9d includes followup on\n        noncompliant components and testing and implementation of proposed corrections. (Planned\n        implementation date of April 2011)\n2b. Identify baselines reviewed:\n2b(1) Software Name          None.\n2b(2) Software Version None.\n\nS3: Incident Response and Reporting\nStatus of Incident               a. The Agency has established and is maintaining an incident response and\nResponse & Reporting        9       reporting program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\nProgram [check one]                 FISMA requirements. Although improvement opportunities may have been\n                                    identified by the OIG, the program includes the following attributes:\n                                    1. Documented policies and procedures for responding and reporting to\n                                        incidents.\n                                    2. Comprehensive analysis, validation, and documentation of incidents.\n                                    3. When applicable, reports to US-CERT within established time frames.\n                                    4. When applicable, reports to law enforcement within established time\n                                        frames.\n                                    5. Responds to and resolves incidents in a timely manner to minimize further\n                                        damage.\n                                 b. The Agency has established and is maintaining an incident response and\n                                    reporting program. However, the Agency needs to make significant\n                                    improvements as noted below.\n                                 c.   The Agency has not established an incident response and reporting program.\n3a. If b. checked above,         3a(1) Incident response and reporting policy is not fully developed.\n    check areas that need\n    significant                  3a(2) Incident response and reporting procedures are not fully developed,\n    improvement:                       sufficiently detailed, or consistently implemented.\n                                 3a(3) Incidents were not identified in a timely manner (NIST 800-53, 800-61,\n                                       and OMB M-07-16, M-06-19).\n\n\n                                                                                                              Page 6\n\x0c                            Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                               Federal Information Security Management Act \n\n                                        Report for Fiscal Year 2010\n\n\n\n                                3a(4) Incidents were not reported to US-CERT as required (NIST 800-53,\n                                      800-61, and OMB M-07-16, M-06-19).\n                                3a(5) Incidents were not reported to law enforcement as required.\n                                3a(6) Incidents were not resolved in a timely manner (NIST 800-53, 800-61, and\n                                      OMB M-07-16, M-06-19).\n                                3a(7) Incidents were not resolved to minimize further damage (NIST 800-53,\n                                      800-61, and OMB M-07-16, M-06-19).\n                                3a(8) There is insufficient incident monitoring and detection coverage\n                                      (NIST 800-53, 800-61, and OMB M-07-16, M-06-19).\n                                3a(9) Other.\n\n                                Explanation for Other:\nComments:\n\nS4: Security Training\nStatus of Security              a. The Agency has established and is maintaining a security training program\nTraining Program                   that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements.\n[check one]                        Although improvement opportunities may have been identified by the OIG,\n                                   the program includes the following attributes:\n                                   1. Documented policies and procedures for security awareness training.\n                                   2. Documented policies and procedures for specialized training for users\n                                        with significant information security responsibilities.\n                                   3. Appropriate training content based on the organization and roles.\n                                   4. Identification and tracking of all employees with login privileges that need\n                                        security awareness training.\n                                   5. Identification and tracking of employees without login privileges that\n                                        require security awareness training.\n                                   6. Identification and tracking of all employees with significant information\n                                        security responsibilities that require specialized training.\n                                b. The Agency has established and is maintaining a security training program.\n                            9      However, the Agency needs to make significant improvements as noted\n                                   below.\n                                c.   The Agency has not established a security training program.\n4a. If b. checked above,        4a(1) Security awareness training policy is not fully developed.\n    check areas that need\n    significant                 4a(2) Security awareness training procedures are not fully developed,\n    improvement:                      sufficiently detailed, or consistently implemented.\n                                4a(3) Specialized security training policy is not fully developed.\n                                4a(4) Specialized security awareness training procedures are not fully developed\n                                      or sufficiently detailed (SP 800-50, SP 800-53).\n                                4a(5) Training material for security awareness training does not contain\n                                      appropriate content for the Agency (SP 800-50, SP 800-53).\n                                4a(6) Identification and tracking of employees with login privileges that require\n                                      security awareness training is not adequate (SP 800-50, SP 800-53).\n\n\n                                                                                                          Page 7\n\x0c                              Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                 Federal Information Security Management Act \n\n                                          Report for Fiscal Year 2010\n\n\n\n                                  4a(7) Identification and tracking of employees without login privileges that\n                                          require security awareness training is not adequate (SP 800-50,\n                                          SP 800-53).\n                                  4a(8) Identification and tracking of employees with significant security\n                                          information security responsibilities is not adequate (SP 800-50,\n                                          SP 800-53).\n                                  4a(9) Training content for individuals with significant information security\n                                          responsibilities is not adequate (SP 800-53, SP 800-16).\n                                  4a(10) Less than 90 percent of employees with login privileges attended security\n                                          awareness training in the past year.\n                                  4a(11) Less than 90 percent of employees, contractors, and other users with\n                                          significant security responsibilities attended specialized security awareness\n                                          training in the past year.\n                             9    4a(12) Other(s).\n                                     (i): Not all contractors with staff-like access were provided with security\n                                          awareness training.\n                                      (ii): Until the IRS improves its identification and tracking of employees and\n                                           contractors with significant security responsibilities, the percentage of\n                                           those who completed specialized security training in the past year cannot\n                                           be verified.\n                                  Explanation for Other(s):\n                                     (i): In accordance with FISMA requirements, IRS policy requires the Agency\n                                          to provide security awareness training to inform all IRS employees and\n                                          contractors of the information security risks associated with their activities\n                                          and their responsibilities in complying with IRS policies and procedures\n                                          designed to reduce these risks. However, in June 2010, the GAO reported\n                                          that the IRS did not provide security awareness training for all IRS\n                                          contractors, such as janitors and security guards, who are provided\n                                          unescorted physical access to its facilities containing taxpayer receipts and\n                                          information. 4 Based on the GAO\xe2\x80\x99s finding, the IRS stated it updated its\n                                          policy as of September 7, 2010, to require all contractors to take security\n                                          awareness training suitable to their type of access. The IRS also stated that\n                                          it modified its contractor tracking system to track the completion of the\n                                          required training modules for each contractor during the Fiscal Year 2011\n                                          FISMA evaluation period.\n                                     (ii): We were unable to definitively determine the percentage of employees and\n                                           contractors with significant security responsibilities that completed\n                                           specialized security training in the Fiscal Year 2010 FISMA evaluation\n                                           period. The IRS reported 6,014 of 6,029 (99.8 percent) employees\n                                           completed their required hours of specialized security training for the\n                                           Fiscal Year 2010 FISMA evaluation period. The IRS did not track\n\n\n\n\n4\n Management Report: Improvements Are Needed in IRS's Internal Controls and Compliance with Laws and Regulations\n(GAO-10-565R, dated June 2010).\n\n                                                                                                               Page 8\n\x0c                                Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                   Federal Information Security Management Act \n\n                                            Report for Fiscal Year 2010\n\n\n\n                                            contractor completion of specialized security training. In a recent TIGTA\n                                            review, 5 we reported that the IRS needed to improve processes to identify\n                                            all IRS employees and contractors performing in security roles requiring\n                                            specialized training. The IRS had not yet documented in its official policy\n                                            five security roles that the Department of the Treasury policy states must\n                                            receive specialized training. As a result, the IRS agreed to update its\n                                            policy to include all security roles in existence at the IRS and crosswalk\n                                            these with its current training curriculum. In addition, the IRS stated it has\n                                            recently modified its contractor tracking system to identify contractors that\n                                            require specialized training and plans to write policy and associated\n                                            security clauses to require contractors to comply with these training\n                                            requirements, to be effective for the Fiscal Year 2012 FISMA evaluation\n                                            period. Until the IRS completes these actions, we cannot verify the\n                                            population of IRS employees and contractors that require specialized\n                                            training or the numbers of those that completed their required training.\nComments:\n\nS5: POA&M \n\nStatus of Plan of Action            a. The Agency has established and is maintaining a POA&M program that is\n& Milestones (POA&M)                   generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements and tracks\nProgram [check one]                    and monitors known information security weaknesses. Although improvement\n                                       opportunities may have been identified by the OIG, the program includes the\n                                       following attributes:\n                                       1. Documented policies and procedures for managing all known IT security\n                                            weaknesses.\n                                       2. Tracks, prioritizes, and remediates weaknesses.\n                                       3. Ensures remediation plans are effective for correcting weaknesses.\n                                       4. Establishes and adheres to reasonable remediation dates.\n                                       5. Ensures adequate resources are provided for correcting weaknesses.\n                                       6. Program officials and contractors report progress on remediation to CIO\n                                            on a regular basis, at least quarterly, and the CIO centrally tracks,\n                                            maintains, and independently reviews/validates the POA&M activities at\n                                            least quarterly.\n                                    b. The Agency has established and is maintaining a POA&M program that tracks\n                              9        and remediates known information security weaknesses. However, the Agency\n                                       needs to make significant improvements as noted below.\n                                    c.   The Agency has not established a POA&M program.\n5a. If b. checked above,            5a(1) POA&M policy is not fully developed.\n    check areas that need\n    significant                     5a(2) POA&M procedures are not fully developed, sufficiently detailed, or\n    improvement:                          consistently implemented.\n                              9 5a(3) POA&Ms do not include all known security weaknesses (OMB M-04-25).\n\n\n5\n More Actions Are Needed to Correct the Security Roles and Responsibilities Portion of the Computer Security Material\nWeakness (Reference Number 2010-20-084, dated August 26, 2010).\n\n                                                                                                                    Page 9\n\x0c                                Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                   Federal Information Security Management Act \n\n                                            Report for Fiscal Year 2010\n\n\n\n                                    5a(4) Remediation actions do not sufficiently address weaknesses\n                                          (NIST SP 800-53, Rev. 3, Sect. 3.4 Monitoring Security Controls).\n                                    5a(5) Initial dates of security weaknesses are not tracked (OMB M-04-25).\n\n                                    5a(6) Security weaknesses are not appropriately prioritized (OMB M-04-25).\n\n                                    5a(7) Estimated remediation dates are not reasonable (OMB M-04-25).\n\n                                    5a(8) Initial target remediation dates are frequently missed (OMB M-04-25).\n                                    5a(9) POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3,\n                                           Control CA-5, & OMB M-04-25).\n                                    5a(10) Costs associated with remediating weaknesses are not identified\n                                           (NIST SP 800-53, Rev. 3, Control PM-3 & OMB M-04-25).\n                                    5a(11) Agency CIO does not track and review POA&Ms (NIST SP 810-53m,\n                                           Rev. 3, Control CA-5 & OMB M-04-25).\n                                    5a(12) Other:\n                              9            Security weaknesses were closed in POA&Ms before effective corrective\n                                           action was taken.\n                                    Explanation for Other:\n                                           In August 2009, the TIGTA reported 6 that the IRS had prematurely\n                                           reported resolution of 6 of 13 security control vulnerabilities in the\n                                           POA&M for the Customer Accounts Data Engine before effective\n                                           corrective action was taken.\n                                            In May 2010, the TIGTA reported 7 that the IRS closed four POA&M\n                                            weaknesses identified in the Modernized e-File system before effective\n                                            corrective action was taken.\n                                            During the 2010 FISMA evaluation period, the IRS took steps to improve\n                                            its POA&M procedures, including requiring system owners to document\n                                            sufficient detail regarding how weaknesses were remediated before\n                                            changing their status to \xe2\x80\x9ccompleted.\xe2\x80\x9d We reviewed the weaknesses that\n                                            were closed during the 2010 FISMA cycle for our 10 sample systems and\n                                            found system owners had documented information to support their\n                                            corrective actions. However, we did not find information to indicate that\n                                            required verifications were performed before closing these weaknesses as\n                                            per IRS policy. The Cybersecurity organization indicated that this\n                                            verification step may be implemented during the next FISMA cycle,\n                                            depending on available resources.\nComments:\n5a(3): In May 2010, the TIGTA reported 8 that security weaknesses identified by the IRS at seven of the eight\ncontractor facilities we sampled were not maintained in POA&Ms as required by the FISMA. These weaknesses\n\n\n6\n  Customer Account Data Engine Release 4 Includes Most Planned Capabilities and Security Requirements for Processing \n\nIndividual Tax Account Information (Reference Number 2009-20-100, dated August 28, 2009). \n\n7\n  Modernized e-File Will Enhance Processing of Electronically Filed Individual Tax Returns, but System Development and \n\nSecurity Need Improvement (Reference Number 2010-20-041, dated May 26, 2010). \n\n\n                                                                                                                   Page 10\n\x0c                               Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                  Federal Information Security Management Act \n\n                                           Report for Fiscal Year 2010\n\n\n\nincluded access control, configuration management control, and system integrity control issues. The IRS agreed\nwith our report finding that these security weaknesses should be tracked in POA&Ms.\nIn addition, during the Fiscal Year 2010 FISMA evaluation period, the TIGTA completed fieldwork on an audit to\nevaluate IRS email servers and found that medium-risk weaknesses the IRS repeatedly detected on its email servers\nthrough monthly scans were not posted to POA&Ms. Monthly scans conducted from September 2009 through\nFebruary 2010 determined that the servers failed between 73 and 79 medium-risk security checks each month.\n\n\nS6: Remote Access Management\nStatus of Remote Access            a. The Agency has established and is maintaining a remote access program that\nProgram [check one]           9       is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements.\n                                      Although improvement opportunities may have been identified by the OIG,\n                                      the program includes the following attributes:\n                                      1. Documented policies and procedures for authorizing, monitoring, and\n                                           controlling all methods of remote access.\n                                      2. Protects against unauthorized connections or subversion of authorized\n                                           connections.\n                                      3. Users are uniquely identified and authenticated for all access.\n                                      4. If applicable, multi-factor authentication is required for remote access.\n                                      5. Authentication mechanisms meet NIST Special Publication 800-63\n                                           guidance on remote electronic authentication, including strength\n                                           mechanisms.\n                                      6. Requires encrypting sensitive files transmitted across public networks or\n                                           stored on mobile devices and removable media such as CDs and flash\n                                           drives.\n                                      7. Remote access sessions are timed-out after a maximum of 30 minutes of\n                                           inactivity, after which re-authentication is required.\n                                   b. The Agency has established and is maintaining a remote access program.\n                                      However, the Agency needs to make significant improvements as noted\n                                      below.\n                                   c.   The Agency has not established a program for providing secure remote access.\n6a. If b. checked above,           6a(1) Remote access policy is not fully developed.\n    check areas that need\n    significant                    6a(2) Remote access procedures are not fully developed, sufficiently detailed, or\n    improvement:                         consistently implemented.\n                                   6a(3) Telecommuting policy is not fully developed (NIST 800-46 Section 5.1).\n                                   6a(4) Telecommuting procedures are not fully developed or sufficiently detailed\n                                         (NIST 800-46 Section 5.4).\n                                   6a(5) Agency cannot identify all users who require remote access (NIST 800-46\n                                         Section 4.2, Section 5.1).\n                                   6a(6) Multi-factor authentication is not properly deployed (NIST 800-46\n                                         Section 2.2, Section 3.3).\n\n\n\n8\n Taxpayer Data Used at Contractor Facilities May Be at Risk for Unauthorized Access or Disclosure (Reference\nNumber 2010-20-51, dated May 18, 2010).\n\n                                                                                                               Page 11\n\x0c                             Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                Federal Information Security Management Act \n\n                                         Report for Fiscal Year 2010\n\n\n\n\n                                6a(7) Agency has not identified all remote devices (NIST 800-46 Section 2.1).\n                                6a(8) Agency has not determined all remote devices and/or end user computers\n                                       have been properly secured (NIST 800-46 Section 3.1 and Section 4.2).\n                                6a(9) Agency does not adequately monitor remote devices when connected to the\n                                       Agency\xe2\x80\x99s networks remotely (NIST 800-46 Section 3.2).\n                                6a(10) Lost or stolen devices are not disabled and appropriately reported\n                                       (NIST 800-46 Section 4.3, US-CERT Incident Reporting Guidelines).\n                                6a(11) Remote access rules of behavior are not adequate (NIST 800-53, PL-4).\n                                6a(12) Remote access user agreements are not adequate (NIST 800-46 Section 5.1\n                                       & NIST 800-53, PS-6).\n                                6a(13) Other.\n\n                                Explanation for Other:\n\n\nS7: Identity and Access Management\nStatus of Account and           a. The Agency has established and is maintaining an account and identity\nIdentity Management                management program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\nProgram [check one]                FISMA requirements and identifies users and network devices. Although\n                                   improvement opportunities may have been identified by the OIG, the program\n                                   includes the following attributes:\n                                   1. Documented policies and procedures for account and identity\n                                       management.\n                                   2. Identifies all users, including Federal employees, contractors, and others\n                                       who access Agency systems.\n                                   3. Identifies when special access requirements (e.g., multi-factor\n                                       authentication) are necessary.\n                                   4. If multi-factor authentication is in use, it is linked to the Agency\xe2\x80\x99s PIV\n                                       program.\n                                   5. Ensures that the users are granted access based on needs and separation of\n                                       duties principles.\n                                   6. Identifies devices that are attached to the network and distinguishes these\n                                       devices from users.\n                                   7. Ensures that accounts are terminated or deactivated once access is no\n                                       longer required.\n                                b. The Agency has established and is maintaining an account and identity\n                            9      management program that identifies users and network devices. However, the\n                                   Agency needs to make significant improvements as noted below.\n                                c.   The Agency has not established an account and identity management program.\n7a. If b. checked above,        7a(1) Account management policy is not fully developed.\n    check areas that need\n    significant             9 7a(2) Account management procedures are not fully developed, sufficiently\n    improvement:                        detailed, or consistently implemented.\n                                7a(3) Active directory is not properly implemented (NIST 800-53, AC-2).\n                                7a(4) Other non-Microsoft account management software is not properly\n                                      implemented (NIST 800-53, AC-2).\n\n                                                                                                        Page 12\n\x0c                                 Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                    Federal Information Security Management Act \n\n                                             Report for Fiscal Year 2010\n\n\n\n                                     7a(5) Agency cannot identify all User and Non-User accounts (NIST 800-53,\n                                           AC-2).\n                                     7a(6) Accounts are not properly issued to new users (NIST 800-53, AC-2).\n                                9 7a(7) Accounts are not properly terminated when users no longer require access\n                                            (NIST 800-53, AC-2).\n                                     7a(8) Agency does not use multi-factor authentication when required\n                                            (NIST 800-53, IA-2).\n                                     7a(9) Agency has not adequately planned for implementation of PIV for logical\n                                            access (HSPD-12, FIPS 201, OMB M-05-24, OMB M-07-06,\n                                            OMB M-08-01).\n                                9    7a(10) Privileges granted are excessive or result in capability to perform\n                                            conflicting functions (NIST 800-53, AC-2, AC-6).\n                                     7a(11) Agency does not use dual accounts for administrators (NIST 800-53,\n                                            AC-5, AC-6).\n                                     7a(12) Network devices are not properly authenticated (NIST 800-53, IA-3).\n\n                                     7a(13) Other.\n\n                                     Explanation for Other:\nComments:\n7a(2): The IRS has not completed corrective actions to resolve the component of the IRS computer security material\nweakness relating to access controls. While the IRS\xe2\x80\x99s corrective action plan for this material weakness indicates\nprogress has been made in completing the planned actions, there are still ongoing corrective actions with scheduled\ncompletion dates ranging from April to December 2011. These involve ensuring that effective access controls are\nimplemented IRS-wide. Until the IRS completes these corrective actions, it cannot ensure that access to key\ncomputer applications and systems is limited to authorized persons for authorized purposes.\n    \xe2\x80\xa2   1-2-20: Develop implementation plan to ensure that corrective actions 1-2-11, 12, 13, 14, 15, and 16 9 can be\n        applied to all organizations, systems, and applications to full levels of effectiveness regarding policies,\n        procedures, implementations, monitoring, and testing. (Planned implementation date of April 2011)\n    \xe2\x80\xa2   1-2-21: Execute implementation plan to ensure that corrective actions 1-2-11, 12, 13, 14, 15, and 16 can be\n        applied to all organizations, systems, and applications to full levels of effectiveness regarding policies,\n        procedures, implementations, monitoring, and testing. (Planned implementation date of April 2011)\n    \xe2\x80\xa2   1-2-22: Establish and maintain collection and reporting of metrics to assess progress and track improvements\n        in all component activity implementations over time. Successful operation of the policy, procedures, and\n        plans for component activities for at least two consecutive quarters. Quarterly review by Cybersecurity and\n        annual FISMA security review will revalidate compliance. (Planned implementation date of\n        December 2011)\n7a(7): In July 2009, the TIGTA reported 10 that, in a sample of 7 systems, 53 of 376 contractors had active user\naccounts but did not have a business need to access these systems. These 53 contractors consisted of contractors\nwhose job duties or access privileges had changed and no longer needed system access, contractors who had\n\n\n9\n  These corrective actions listed relate to account management procedures, including controlling user authorizations and levels of\nprivileges on all systems, applications, databases, and other software. This footnote also applies the corrective action 1-2-21.\n10\n   Computer System Access Controls Over Contractors Need to Be Improved (Reference Number 2009-20-108, dated July 24,\n2009).\n\n                                                                                                                        Page 13\n\x0c                                Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                   Federal Information Security Management Act \n\n                                            Report for Fiscal Year 2010\n\n\n\nseparated from the contract with the IRS, and contractors who had never logged on to the system or had not logged\non to the system within 45 calendar days. We also identified 15 contractors whose system access was not deleted in\na timely manner upon separation from the contract with the IRS. The IRS agreed with our report findings. The IRS\nstated that, effective September 7, 2010, it began tracking information from contractors concerning employee status\nchanges, including separations and changes in duties, to ensure timely account termination when access is no longer\nrequired.\nIn addition, in March 2010, the TIGTA reported 11 that the Registered User Portal, which allows tax professionals to\nelectronically submit and retrieve tax-related information, was not configured to disable and remove users\xe2\x80\x99 access\naccounts in accordance with IRS security policies and procedures. Rather than implement the control to disable\ninactive accounts after 45 days as required by IRS policy, the IRS set the control to 720 days. In addition, the IRS\ndid not implement a control to remove inactive accounts. Inactive accounts unnecessarily increase the opportunity\nfor malicious individuals to gain access to taxpayer data through an unused account.\n7a(10): In July 2009, the TIGTA reported 12 that, from a sample of 7 IRS systems, 12 system development\ncontractors had access and full privileges to the production environment of the system on which they worked, in\nviolation of the IRS policy on separation of duties. Developers with access to the production system could bypass\ncontrols and make unapproved and untested changes. In addition, 39 system administration contractors also had\ndatabase administrator privileges. This lack of separation of duties could jeopardize the integrity of the data and\nallow unauthorized changes to the data to go undetected. The IRS stated it is now notifying contractors during the\non-boarding process of the separation of duties requirement and requiring contractors to identify which one of those\nduties they will perform, if any.\nIn addition, in March 2010, the TIGTA reported 13 that 6 of 109 sampled employees\xe2\x80\x99 system privileges on the\nAutomated Collection System were not restricted to only those privileges needed to perform assigned duties.\nExcessive privileges granted included the ability to increase the privileges of other users and to perform\nmanagement queries to view large amounts of sensitive tax collection data. When users are granted access\npermissions beyond their assigned responsibilities, the risks of malicious actions and unauthorized disclosure of\ntaxpayer data are increased. In addition, 58 employees had unneeded privileges that allowed them the authority to\ncreate, modify, or delete the system audit trails. These actions, taken either accidently or intentionally, could\nconceal unauthorized activity and compromise the integrity of the audit trail.\n\n\n\n\n11\n   Additional Security Is Needed for Access to the Registered User Portal (Reference Number 2010-20-027, dated\n\nMarch 31, 2010). \n\n12\n   Computer System Access Controls Over Contractors Need to Be Improved (Reference Number 2009-20-108, dated\n\nJuly 24, 2009). \n\n13\n   Additional Security Controls Are Needed to Protect the Automated Collection System (Reference Number 2010-20-028, dated\n\nMarch 30, 2010). \n\n\n                                                                                                                 Page 14\n\x0c                           Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                              Federal Information Security Management Act \n\n                                       Report for Fiscal Year 2010\n\n\n\n\n\nS8: Continuous Monitoring Management\nStatus of Continuous           a. The Agency has established an entity-wide continuous monitoring program\nMonitoring Program                that assesses the security state of information systems that is generally\n[check one]                       consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements. Although\n                                  improvement opportunities may have been identified by the OIG, the program\n                                  includes the following attributes:\n                                  1. Documented policies and procedures for continuous monitoring.\n                                  2. Documented strategy and plans for continuous monitoring, such as\n                                       vulnerability scanning, log monitoring, notification of unauthorized\n                                       devices, sensitive new accounts, etc.\n                                  3. Ongoing assessments of selected security controls (system-specific,\n                                       hybrid, and common) that have been performed based on the approved\n                                       continuous monitoring plans.\n                                  4. Provides system authorizing officials and other key system officials with\n                                       security status reports covering updates to security plans and security\n                                       assessment reports, as well as POA&M additions.\n                               b. The Agency has established an entity-wide continuous monitoring program\n                           9      that assesses the security state of information systems. However, the Agency\n                                  needs to make significant improvements as noted below.\n                               c.   The Agency has not established a continuous monitoring program.\n8a. If b. checked above,       8a(1) Continuous monitoring policy is not fully developed.\n    check areas that\n    need significant           8a(2) Continuous monitoring procedures are not fully developed or consistently\n    improvement:                     implemented.\n                               8a(3) Strategy or plan has not been fully developed for entity-wide continuous\n                                     monitoring (NIST 800-37).\n                               8a(4) Ongoing assessments of selected security controls (system-specific, hybrid,\n                                     and common) have not been performed (NIST 800-53, NIST 800-53A).\n                               8a(5) The following were not provided to the system authorizing official or other\n                                     key system officials: security status reports covering continuous\n                                     monitoring results, updates to security plans, security assessment reports,\n                                     and POA&Ms (NIST 800-53, NIST 800-53A).\n                               8a(6) Other:\n                           9         The IRS has not resolved its computer security material weakness relating\n                                     to audit logging.\n                               Explanation for Other:\n                                      The IRS has not completed corrective actions to resolve the audit logging\n                                      component of the IRS computer security material weakness. The IRS\n                                      corrective action plan for resolving the audit logging weakness indicates\n                                      that there are still ongoing corrective actions with scheduled completion\n                                      dates ranging from February 2011 to October 2013. Until corrective\n                                      actions are completed to resolve the audit logging material weakness, the\n                                      IRS cannot effectively monitor key networks and systems to identify\n                                      unauthorized activities and inappropriate system configurations.\n\n\n\n                                                                                                       Page 15\n\x0c                                Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                   Federal Information Security Management Act \n\n                                            Report for Fiscal Year 2010\n\n\n\n                                            During the 2010 FISMA evaluation period, the TIGTA reported that the\n                                            IRS continues to have problems with audit logging. In March 2010, the\n                                            TIGTA reported14 that the IRS does not analyze the audit logs for the\n                                            Registered User Portal system to detect unlawful or unauthorized\n                                            activities. Consequently, unauthorized access to taxpayer data could go\n                                            undetected.\n                                            In March 2010, the TIGTA reported15 that the IRS is not capturing all of\n                                            the required auditable events in Automated Collection System audit trails.\n                                            The IRS informed us that enabling all required auditing events would\n                                            negatively affect system performance.\n                                            In July 2010, the TIGTA reported16 **********2(f)*****************\n                                            ***********************************************************\n                                            **********************************************************\n                                            **********************************************************\n                                            ***********************************************************\n                                            **********************************************************\n                                            **********************************************************\n                                            **********************************************************.\nComments:\n\nS9: Contingency Planning\nStatus of Contingency               a.   The Agency established and is maintaining an entity-wide business\nPlanning Program                         continuity/disaster recovery program that is generally consistent with NIST\xe2\x80\x99s\n[check one]                              and OMB\xe2\x80\x99s FISMA requirements. Although improvement opportunities may\n                                         have been identified by the OIG, the program includes the following\n                                         attributes:\n                                         1. Documented business continuity and disaster recovery policy providing\n                                              the authority and guidance necessary to reduce the impact of a disruptive\n                                              event or disaster.\n                                         2. The Agency has performed an overall Business Impact Assessment.\n                                         3. Development and documentation of division, component, and IT\n                                              infrastructure recovery strategies, plans, and procedures.\n                                         4. Testing of all system-specific contingency plans.\n                                         5. The documented business continuity and disaster recovery plans are ready\n                                              for implementation.\n                                         6. Development of training, testing, and exercises (TT&E) approaches.\n                                         7. Performance of regular ongoing testing or exercising of continuity/disaster\n                                              recovery plans to determine effectiveness and to maintain current plans.\n\n\n\n\n14\n   Additional Security Is Needed for Access to the Registered User Portal (Reference Number 2010-20-027, dated\n\nMarch 31, 2010). \n\n15\n   Additional Security Controls Are Needed to Protect the Automated Collection System (Reference Number 2010-20-028, dated\n\nMarch 30, 2010). \n\n16\n   Additional Actions and Resources Are Needed to Resolve the Audit Trail Portion of the Computer Security Material Weakness\n(Reference Number 2010-20-082, dated July 28, 2010).\n\n                                                                                                                  Page 16\n\x0c                            Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                               Federal Information Security Management Act \n\n                                        Report for Fiscal Year 2010\n\n\n\n                                b. The Agency has established and is maintaining an entity-wide business\n                            9      continuity/disaster recovery program. However, the Agency needs to make\n                                   significant improvements as noted below.\n                                c. The Agency has not established a business continuity/disaster recovery\n                                   program.\n9a. If b. checked above,        9a(1) Contingency planning policy is not fully developed.\n    check areas that need\n    significant                 9a(2) Contingency planning procedures are not fully developed or consistently\n    improvement:                       implemented.\n                                9a(3) An overall business impact assessment has not been performed\n                                       (NIST SP 800-34).\n                                9a(4) Development of organization, component, or infrastructure recovery\n                                       strategies and plans has not been accomplished (NIST SP 800-34).\n                                9a(5) A business continuity/disaster recovery plan has not been developed\n                                       (FCD1, NIST SP 800-34).\n                                9a(6) A business continuity/disaster recovery plan has been developed, but not\n                                       fully implemented (FCD1, NIST SP 800-34).\n                                9a(7) System contingency plans missing or incomplete (FCD1, NIST SP 800-34,\n                                       NIST SP 800-53).\n                                9a(8) Critical systems contingency plans are not tested (FCD1, NIST SP 800-34,\n                                       NIST SP 800-53).\n                                9a(9) Training, testing, and exercises approaches have not been developed\n                                       (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                9a(10) Training, testing, and exercises approaches have been developed, but are\n                                       not fully implemented (FCD1, NIST SP 800-34, NIST SP 800-53).\n                                9a(11) Disaster recovery exercises were not successful (NIST SP 800-34).\n                                9a(12) After-action plans did not address issues identified during disaster recovery\n                                       exercises (FCD1, NIST SP 800-34).\n                                9a(13) Critical systems do not have alternate processing sites (FCD1,\n                                       NIST SP 800-34, NIST SP 800-53).\n                                9a(14) Alternate processing sites are subject to same risks as primary sites (FCD1,\n                                       NIST SP 800-34, NIST SP 800-53).\n                                9a(15) Backups of information are not performed in a timely manner (FCD1,\n                                       NIST SP 800-34, NIST SP 800-53).\n                                9a(16) Backups are not appropriately tested (FCD1, NIST SP 800-34,\n                                       NIST SP 800-53).\n                                9a(17) Backups are not properly secured and protected (FCD1, NIST SP 800-34,\n                                       NIST SP 800-53).\n                            9   9a(18) Other:\n                                       The IRS has made significant progress, but has not resolved its material\n                                       weakness relating to disaster recovery controls.\n                                Explanation for Other:\n                                       The IRS has not yet fully implemented adequate processes to ensure\n                                       disaster recovery capabilities are implemented IRS-wide. While the IRS\xe2\x80\x99s\n                                       material weakness corrective action plan indicates progress has been made\n                                       in mitigating disaster recovery issues, the following disaster recovery\n                                       corrective actions are still ongoing with scheduled completion dates\n\n                                                                                                          Page 17\n\x0c            Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n               Federal Information Security Management Act \n\n                        Report for Fiscal Year 2010\n\n\n\n                   ranging from October 2010 to December 2011. These involve ensuring\n                   effective disaster recovery controls are implemented IRS-wide. Until the\n                   IRS has completed its corrective actions to resolve this weakness, it cannot\n                   ensure critical business systems can be timely restored when unexpected\n                   events occur.\n                     \xe2\x80\xa2   1-6-16 \xe2\x80\x93 Disaster Recovery Compliance: Complete internal\n                         auditing of the disaster recovery efforts to ensure accuracy and\n                         completeness as it relates to day-to-day operations and efforts to\n                         mitigate the material weakness. Establish and maintain metrics\n                         documentation to assess progress and track improvements in all\n                         component activities over time. Conduct an annual evaluation to\n                         revalidate compliance. (Planned implementation date of July 2011)\n                     \xe2\x80\xa2   1-6-17 \xe2\x80\x93 Disaster Recovery Plans: Develop and maintain\n                         Information Technology contingency plans associated with general\n                         support systems to include all components that support critical\n                         applications. Establish and maintain data and processing\n                         backup-recovery capability. Ensure maximum allowable outage\n                         times meet the recovery time objectives of the applications being\n                         supported. (Planned implementation date of December 2010)\n                     \xe2\x80\xa2   1-6-19 \xe2\x80\x93 Technical Assessment: Perform annual system risk\n                         assessments. Develop a true redundancy/resilience analysis. Based\n                         on the critical business processes, develop a site-based restoration\n                         vulnerability analysis. Create a Recovery Point Objective and\n                         Recovery Time Objective analysis and gain concurrence from both\n                         the business operating divisions and the Modernization and\n                         Information Technology Services organizations. Incorporate a\n                         technical assessment tool that will provide an infrastructure impact\n                         analysis in the event of a disaster. Implement backup-recovery\n                         capabilities to meet application maximum allowable outages and\n                         recovery time objectives of all Information Technology systems\n                         supporting the critical business processes. (Planned implementation\n                         date of July 2011)\n                     \xe2\x80\xa2   1-6-20 \xe2\x80\x93 Metrics: Establish and maintain metrics to assess progress\n                         and track improvements in all component activities over time.\n                         Successful operation of the policy, procedures, and plans for\n                         component activities for at least two quarters. Annual FISMA\n                         testing will revalidate compliance. (Planned implementation date of\n                         December 2011)\nComments:\n\n\n\n\n                                                                                     Page 18\n\x0c                            Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                               Federal Information Security Management Act \n\n                                        Report for Fiscal Year 2010\n\n\n\n\n\nS10/S11: Contractor Systems/Financial Audit\nStatus of Agency                a.  The Agency has established and maintains a program to oversee systems\nProgram to Oversee                  operated on its behalf by contractors or other entities. Although improvement\nContractor Systems                  opportunities may have been identified by the OIG, the program includes the\n[check one]                         following attributes:\n                                    1.\t Documented policies and procedures for information security oversight of\n                                         systems operated on the Agency\xe2\x80\x99s behalf by contractors or other entities\n                                         of the Agency obtains sufficient assurance that security controls of\n                                         systems operated by contractors or others on its behalf are effectively\n                                         implemented and comply with Federal and Agency guidelines.\n                                    2.\t A complete inventory of systems operated on the Agency\xe2\x80\x99s behalf by\n                                         contractors or other entities.\n                                    3.\t The inventory identifies interfaces between these systems and\n                                         Agency-operated systems.\n                                    4.\t The Agency requires agreements (MOUs, Interconnect Service\n                                         Agreements, contracts, etc.) for interfaces between these systems and\n                                         those that it owns and operates.\n                                    5. The inventory, including interfaces, is updated at least annually.\n                                    6.\t Systems that are owned or operated by contractors or entities are subject\n                                         to and generally meet NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements.\n                                b. The Agency has established and maintains a program to oversee systems\n                            9       operated on its behalf by contractors or other entities. However, the Agency\n                                    needs to make significant improvements as noted below.\n                                c. The Agency does not have a program to oversee systems operated on its\n                                    behalf by contractors or other entities.\n10a.If (b) checked above,       10a(1) Policies to oversee systems operated on the Agency\xe2\x80\x99s behalf by contractors\n    check areas that need               or other entities are not fully developed.\n\n    significant\n                10a(2) Procedures to oversee systems operated on the Agency\xe2\x80\x99s behalf by\n    improvement:                        contractors or other entities are not fully developed or consistently\n                                        implemented.\n                            9   10a(3) The inventory of systems owned or operated by contractors or other\n                                        entities is not sufficiently complete.\n                                10a(4) The inventory does not identify interfaces between contractor/\n                                        entity-operated systems to Agency-owned and operated systems.\n                                10a(5) The inventory of contractor/entity-operated systems, including interfaces,\n                                        is not updated at least annually.\n                                10a(6) Systems owned or operated by contractors and entities are not subject to\n                                        NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements (e.g., certification and\n                                        accreditation requirements).\n                                10a(7) Systems owned or operated by contractors and entities do not meet NIST\xe2\x80\x99s\n                                        and OMB\xe2\x80\x99s FISMA requirements (e.g., certification and accreditation\n                                        requirements).\n                                10a(8) Interface agreements (e.g., MOUs) are not properly documented,\n                                        authorized, or maintained.\n                                10a(9) Other.\n                                Explanation for Other:\n\n                                                                                                        Page 19\n\x0c                              Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                                 Federal Information Security Management Act \n\n                                          Report for Fiscal Year 2010\n\n\n\nComments:\n10a(3): The IRS was unable to provide us with a definitive inventory of contractor managed systems and agreed\nthat this inventory required improvement. In May 2010, the TIGTA reported 17 that current processes were not\neffective at identifying all contractors who receive IRS taxpayer data and therefore are subject to required security\nreviews. The IRS agreed with our finding and has implemented an automated mechanism to identify all contractors\nthat have access to sensitive data. This information will be available to target sites for security reviews during the\nFiscal Year 2012 review cycle. The IRS stated it will also use this information to determine which of these meet the\ndefinition of a contractor system. In addition, where contracts may not fall into the definition of a contract system,\nthe IRS is working towards developing new contract language to address security requirements and to potentially\nprovide these contractors with IRS-configured laptops to help enforce security policy.\n11. Financial Audit          11a. For the latest Financial Audit Report issued for the Agency, please provide the date\n                                  of the report and indicate whether there was a material weakness or reportable\n                                  condition concerning information security.\n                            Input for 11a:\n                            In March 2010, the GAO reported 18 newly identified and unresolved information\n                            security control weaknesses in key financial and tax processing systems continue to\n                            jeopardize the confidentiality, integrity, and availability of financial and sensitive\n                            taxpayer information. Until these control weaknesses and program deficiencies are\n                            corrected, the IRS remains unnecessarily vulnerable to insider threats related to the\n                            unauthorized access to and disclosure, modification, or destruction of financial and\n                            taxpayer information, as well as the disruption of system operations and services. The\n                            new and unresolved weaknesses and deficiencies at the IRS were the basis for the\n                            GAO\xe2\x80\x99s determination that the IRS had a material weakness in internal controls over\n                            financial reporting related to information security in Fiscal Year 2009.\n\n\n\n\n17\n   Taxpayer Data Used at Contractor Facilities May Be at Risk for Unauthorized Access or Disclosure (Reference\n\nNumber 2010-20-051, dated May 18, 2010). \n\n18\n   INFORMATION SECURITY: IRS Needs to Continue to Address Significant Weaknesses (GAO-10-355, dated March 2010). \n\n\n                                                                                                            Page 20\n\x0c                     Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                        Federal Information Security Management Act \n\n                                 Report for Fiscal Year 2010\n\n\n\n                                                                             Appendix II\n\nTreasury Inspector General for Tax Administration \n\n Information Technology Security Reports Issued \n\n        During the 2010 Evaluation Period \n\n\n1.\t Computer System Access Controls Over Contractors Need to Be Improved (Reference \n\n    Number 2009-20-108, dated July 24, 2009).\n\n2.\t Customer Account Data Engine Release 4 Includes Most Planned Capabilities and \n\n    Security Requirements for Processing Individual Tax Account Information (Reference \n\n    Number 2009-20-100, dated August 28, 2009).\n\n3.\t Significant Improvements Have Been Made to Protect Sensitive Data on Laptop \n\n    Computers and Other Portable Electronic Media Devices (Reference \n\n    Number 2009-20-120, dated August 31, 2009).\n\n4.\t Progress Has Been Made, but Additional Steps Are Needed to Ensure Taxpayer Accounts\n    Are Monitored to Detect Unauthorized Employee Accesses (Reference\n    Number 2009-20-119, dated September 9, 2009).\n5.\t While Effective Actions Have Been Taken to Address Previously Reported Weaknesses in\n    the Protection of Federal Tax Information at State Government Agencies, Additional\n    Improvements Are Needed (Reference Number 2010-20-003, dated November 10, 2009).\n6.\t Additional Security Controls Are Needed to Protect the Automated Collection System \n\n    (Reference Number 2010-20-028, dated March 30, 2010). \n\n7.\t Additional Security Is Needed for Access to the Registered User Portal (Reference \n\n    Number 2010-20-027, dated March 31, 2010).\n\n8.\t Taxpayer Data Used at Contractor Facilities May Be at Risk for Unauthorized Access or\n    Disclosure (Reference Number 2010-20-051, dated May 18, 2010).\n9.\t Modernized e-File Will Enhance Processing of Electronically Filed Individual Tax \n\n    Returns, but System Development and Security Need Improvement (Reference \n\n    Number 2010-20-041, dated May 26, 2010).\n\n10. Implementation of General Support System Security Controls Needs Improvement to \n\n    Protect Taxpayer Data (Reference Number 2010-20-063, dated June 7, 2010).\n\n\n\n\n\n                                                                                     Page 21\n\x0c                        Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                           Federal Information Security Management Act \n\n                                    Report for Fiscal Year 2010\n\n\n\n                                                                             Appendix III\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nJody Kitazono, Audit Manager\nJoan Bonomi, Senior Auditor\nRichard Borst, Senior Auditor\nBret Hunter, Senior Auditor\nLouis Lee, Senior Auditor\nLarry Reimer, Senior Auditor\nFrank O\xe2\x80\x99Connor, Auditor\nVictor Taylor, Auditor\n\n\n\n\n                                                                                     Page 22\n\x0c                       Treasury Inspector General for Tax Administration \xe2\x80\x93 \n\n                          Federal Information Security Management Act \n\n                                   Report for Fiscal Year 2010\n\n\n\n                                                                  Appendix IV\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Technology Officer OS:CTO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nLiaison: Chief Technology Officer OS:CTO\n\n\n\n\n                                                                         Page 23\n\x0c"